ContactPoint, the children's database containing details on 11 million children in the UK, needs tighter security experts have said.
Holding the details of all children creates a "security headache", according to security provider Overtis solutions. The company said the government should only hold the details of children who have been involved with social services.
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
The launch of the database has already been delayed three times because of concerns over the privacy of 55,000 children whose whereabouts need to be kept secret.
ContactPoint will be accessible by 390,000 users which makes the system "highly vulnerable" because of its large number of end points. There is also no clear managing process for when these users leave their jobs or get downgraded access, and Overtis said targeted malware is a "very real concern".
"Without comprehensive security at the end point, between the user and the data, it is relatively simply to copy data out of any application," the company said.
User access is determined by job role, but Overtis says the government has made little mention of how administrator access is monitored or managed.
It says IT and database administrators will probably have system-wide access, which should be subject to the same security tests as other users.
Authentication is another weak point for the system. Access to the database is controlled by the Employee Authentication Service. This is a two-factor authentication system which went live on June 8 for 800 pilot employees - national roll-out will go ahead in October.
Overtis said the sensitivity of the data held on ContactPoint - which includes children's names, addresses, dates of birth, their carers, and ID code - means biometric authentication should have been used. Despite the two-factor system being stronger than a password-only system, a user's session could still be hijacked while they are away from their desk.
Richard Walters, product director at Overtis Systems, said, "Why the government has created this security headache in the first place, particularly when their track record on handling data raises serious questions, is something of a mystery."