The
Identity and Passport Service (IPS) has fixed a security
weakness in its online passport application progress checking
service.
The flaw enabled a separated parent to discover the existence of
a child's passport application by using the online service.
The incident was reported to the
Information Commissioner's Office (ICO) last year, but made
public only recently with the publication of the
IPS annual report.
An IPS spokesman said, "Current procedure ensures that the
person making the enquiry is now required to supply the unique
application bar code reference number."
This number is given only to the parent submitting the
application.
Bill Beverley, security technology sales manager at F5 Networks
said the incident highlighted the fact that many online security
floors are as a result of programming errors.
"Many sites are still constructed with usability and budgets as
key considerations and neglect application level security, which
would offer protection against such errors," he said.
This simple error could have been avoided, said Beverley, if
there had been a security mandate in place to ensure application
security best practices were enforced.
"Without further legislation enforced by the government,
organisations will continue to overlook security and we could see
more sensitive data exposed through neglect," he said.
The IPS annual report said it would continue to monitor and
assess its information risks to identify and address any
weaknesses.
Planned steps for the coming year included improving security
communications and training, and improving incident reporting and
incident management information.