UK’s digital ID scheme, GOV.UK One Login, allegedly contains a host of serious vulnerabilities affecting security and data protection, that are “built in” and present in the system since its launch.
These claims come from a whistleblower, a security expert who worked for the Government Digital Service (GDS, a part of the Department for Science, Innovation and Technology). The most grave consequences stemming from the flaws – that the whistleblower first pointed out through proper channels in 2022, only to be ignored – would include data breaches.
Another threat from more than half a million system vulnerabilities that they said were identified is identity theft. At this time, some three million people in the UK use the system to access 50 government services.
The security expert, whose identity has not been revealed in reports about the brewing scandal, asserted that thousands of vulnerabilities identified were rated as either critical or high.
The whistleblower’s account of the events suggests the authorities went for a slapdash approach to setting up the digital ID infrastructure, not only from the technical but also from the policy point of view.
“Basic” governance and risk management were not in place, according to the source, while the £330 ($436.70) million in funding arrived thanks to the business case that featured “misleading claims” regarding the quality of the scheme’s security.
And when the decision was made to outsource development to Romania, it came without GDS CEO’s approval, and without consultation with the National Cyber Security Center (NCSC).
Hellbound and Down 