New questions have been raised about the adequacy of security
systems on government computers used to administer its £260m
Individual Learning Account training scheme, as evidence begins to
emerge of a significant black-market trade in personal training
account details.
Touts have been offering lists of illegally obtained ILA account
numbers belonging to members of the public who signed up for
training, at up to £100 per account, Computer Weekly has
learnt.
The numbers, which should have been held securely on the ILA Web
site, managed by outsourcer Capita, have been used by fraudsters to
claim the £200-a-head grants for training courses that they did not
provide.
The revelations come as the Parliamentary Ombudsman began an
investigation into claims of maladministration by the Government in
the running of the ILA programme. The select committee for
education and skills and the National Audit Office will also
investigate.
James Eades, operations director at Best Computer Training, one of
the largest IT training companies in the UK, confirmed this week
that his company had been approached several times by touts
offering numbers.
Steve Field, director of Premier Learning Providers, had a similar
experience. "We were approached by possibly four or five parties
offering different levels of numbers, or saying if we had any
students where we had not claimed the number, they could get the
number for us."
Evidence has also emerged that some firms were offering bribes to
staff in training companies to persuade them to hand over numbers.
Lee Wilkes, managing director at IT training company WWWDot Group
International, said it had sacked two freelancers for passing
numbers to a rival firm.
The existence of the list-selling has highlighted poor security on
the Web site, set up by Capita to allow training companies to
register students' account numbers in order to claim the £200
training grant for each student.
Training firms said security was so lax almost anyone could gain
access to the site, and once logged-on could easily identify unused
account numbers by trial and error.
Eades said, " I could go and log myself in as a learning provider,
and because the numbers increased sequentially I could earmark the
next number in line if it was unused."
Training companies raised questions with the Department for
Education and Skills (DfES) about the absence of checks on
companies and individuals applying for access to the Web
site.
"You need to be able to fill out an A4 form and send them an
insurance certificate. You had to have a phone number, though it
could be a mobile, and that was it, really," said Eades.
Capita said that learning providers may have misused the site. "A
limited number of users may have abused their authorised access and
acted in an inappropriate manner. Such behaviour could be viewed as
a breach of trust but not a breach of the system," the company
said.
DfES said that the account numbers used a checksum system that
meant only certain numbers were valid, but declined to comment
further.
What the (honest) trainers said
"The Web site was password-protected but it was so easy to fill in
a form and, 48 hours later, you easily had access to the training
accounts. There was no need for people to prove they had a track
record of training"
Roger Tuckett, Henley Community Online
"Some of my centres had people phoning up saying, 'I have got a
stack of 1,000 numbers. I will charge you £25 for each of them',
hoping our training centre would buy them, log them into the system
and claim £200 for each number. This happened about three times"
James Eades, Best Computer Training
"We feel the Government came into the training market with good
intentions for ILAs. They have just walked away from it and left it
in a bit of a mess."
James O'Brien, Pitman Training