[ISN] ID card fears as staff hack into Home Office database

From: InfoSec News (alerts@private)
Date: Sun Aug 27 2006 - 22:02:53 PDT


http://www.thisislondon.co.uk/news/article-23364764-details/ID+card+fears+as+staff+hack+into+Home+Office+database/article.do

27.08.06

Office staff are hacking into the department's computers, putting at 
risk the privacy of 40million people in Britain.

The revelation undermines Government claims that sensitive information 
being collected for its controversial ID Cards scheme could not fall 
into criminal hands.

The security breaches occurred at the Identity and Passport Service, 
which is setting up the National Identity Register to provide access to 
individuals' health, financial and police records as part of the 
8billion ID card scheme scheduled to begin in 2008.

MPs and technology experts have expressed fears that the national 
register, which will store sensitive details of more than 40million 
people, will be a honeypot for hackers and identity thieves. Liberal 
Democrat Home Affairs spokesman Mark Hunter said: 'These revelations 
show it is folly to put all the precious personal data of our citizens 
in one place.'

Personal information about every British passport holder - including 
their date of birth, mother's maiden name, address and photographs - is 
already held in the IPS computers.

A Home Office spokesman last night confirmed the IPS security breaches. 
He also confirmed that three staff involved had been sacked and a fourth 
had resigned before disciplinary procedures had concluded.

The spokesman said none of the security breaches involved'hacking' by 
outside criminals, and a 'whole range of protocols and procedures' were 
in place to protect Home Office databases from unauthorised staff use.

He said: 'System checks are routinely carried out and any violation is 
dealt with severely.'

The spokesman added that the ID Cards database would be a 'completely 
different' system.

Home Office figures show that the department's databases have been 
successfully penetrated on average once a year since 2001.

Four of these security failures were at databases maintained by the IPS, 
an executive agency of the Home Office created in April.

Computer experts warn that more security breaches are likely to have 
gone undetected.

Phil Booth, of the NO2ID campaign, said government databases would 
always be vulnerable to unscrupulous staff.

'That these breaches have taken place in the very agency that is 
supposed to be protecting the identities of every citizen in this 
country is a damning indictment of the current system,' he said.

'But when you consider that this agency will be running the ID card 
scheme, it's truly terrifying.'

John Tullett, the technology editor of Secure Computing magazine, said 
the Home Office would be 'naive' to assume that the total of recorded 
breaches reflects the real number of security violations at the 
department.

He said: 'The trend in IT crime is towards "silent" breaches where very 
competent criminals get into a system and cover their tracks so they can 
get in again in future, all without the victim ever knowing.'


_________________________________
HITBSecConf2006 - Malaysia 
The largest network security event in Asia 
32 internationally renowned speakers 
7 tracks of hands-on technical training sessions. 
Register now: http://conference.hitb.org/hitbsecconf2006kl/



This archive was generated by hypermail 2.1.3 : Sun Aug 27 2006 - 22:07:58 PDT