On May 18 the U.K. Data Protection Commissioner said in a Channel 4 news report he’s going to investigate why an online visa application system allowed the personally identifiable information (PII) of around 50,000 applicants from India who had applied for U.K. passports viewable on the Internet.
The online visa applications area for residents from India was taken down soon after the report.
The application security flaw…er, gaping hole…was reported by Sanjib Mitra from India who had used the site and subsequently discovered he could access all the Indian applications that had been made on the site…in April 2006.
“He reportedly emailed the company last year but heard nothing. He emailed the British High Commission, who two months later replied that they would look into it. He then alerted an Internet journalist specialising in computer security.”
So, the PII data was available online for at least over a year…possibly longer…and the government took no action upon receiving report of the security flaw.
The site processing was outsourced by the U.K.’s Visas government office to VFS Global, located in India.
U.K. organizations that outsource PII processing to other organizations, including those outside of the U.K., are legally responsible under the U.K. Data Protection Act to ensure the PII will be properly safeguarded.
Apparently the outsourced organization, VFS Global, did not have effective measures in place to ensure security was built into their online application, and they did not test it thoroughly prior to putting it into production.
This is another example of the need for organizations to perform thorough information security program reviews for the organizations to which they are outsourcing PII processing of any kind, in addition to including detailed information security requirements within the contracts.
It will be interesting to see what kind of penalty, if any, is applied to the U.K. Visas department which outsourced the Visa processing to VFS.
Ironically enough, in February of 2007 they had awarded a ¬£297 million ($589 million) project to VFS Global to provide a “global information service to applicants” and establish visa application centers in 50 countries. This even though they had been alerted to the security flaw of VFS Global’s online visa processing application a year earlier.
Will they cancel this contract based upon this demonstrated lack of application security capability? We shall see…but likely not…
Tags: awareness and training, Data Protection Act, government, Information Security, IT compliance, outsourcing, policies and procedures, privacy, SDLC