UK’s digital ID scheme, GOV.UK One Login, allegedly contains a host of serious vulnerabilities affecting security and data protection, that are “built in” and present in the system since its launch.
These claims come from a whistleblower, a security expert who worked for the Government Digital Service (GDS, a part of the Department for Science, Innovation and Technology). The most grave consequences stemming from the flaws – that the whistleblower first pointed out through proper channels in 2022, only to be ignored – would include data breaches.
Another threat from more than half a million system vulnerabilities that they said were identified is identity theft. At this time, some three million people in the UK use the system to access 50 government services.
The security expert, whose identity has not been revealed in reports about the brewing scandal, asserted that thousands of vulnerabilities identified were rated as either critical or high.
The whistleblower’s account of the events suggests the authorities went for a slapdash approach to setting up the digital ID infrastructure, not only from the technical but also from the policy point of view.
“Basic” governance and risk management were not in place, according to the source, while the £330 ($436.70) million in funding arrived thanks to the business case that featured “misleading claims” regarding the quality of the scheme’s security.
And when the decision was made to outsource development to Romania, it came without GDS CEO’s approval, and without consultation with the National Cyber Security Center (NCSC).
It gets worse from here: the chief information security officer for GDS later carried out an investigation that reportedly confirmed the problems – only for the agency to decide not to mention this, when responding to a letter an MP sent to the Cabinet Office, asking about One Login’s security problems.
That MP appears to be the one the whistleblower previously contacted with their information, after waiting 18 months for the problems to be addressed by GDS.
But GDS did take some action – against the whistleblower.
Even though the MP was informed in line with the Public Interest Disclosure Act that should have protected the security expert, he faced disciplinary action.
At this time, the Department for Science, Innovation and Technology continues to claim that One Login is “secure.”