Staff working for Her Majesty's Courts Service have breached security on the government database that stores personal...
data about everyone in the UK.
Also, local authorities sacked 26 employees last year for snooping on personal data stored on the Department for Work and Pensions (DWP) Customer Information System (CIS), which, with 90 million records, is one of the largest databases in Europe.
Freedom of Information (FoI) requests by Computer Weekly revealed that the DWP caught 124 council workers breaching database security in the year to April 2010.
E-mail exchanges by IT security staff at the DWP and the Ministry of Justice (MoJ), and obtained by Computer Weekly, also expose the weak grip the DWP had on the security of the five-year-old CIS database.
Caught in the act
Public sector workers have been repeatedly caught snooping on personal data stored by the DWP since the department gave other government agencies access to the database in 2005.
The MoJ said HM Courts Service staff had been caught looking at CIS personal data on 23 occasions since April 2008 and the breaches had continued through 2010.
The DWP was regularly catching staff snooping on CIS even while it drew up plans in 2007 for the citizen database to become a spine for sharing personal data across the whole of government. The security breaches continued as ministers approved plans for the CIS-Cross Government (CIS-X) scheme to become the biographical core of the now-defunct ID cards programme.
So far, 180 CIS users are known to have breached its security by looking up personal data about or on behalf of friends, relatives, colleagues, celebrities and themselves. At least 35 public sector workers have been sacked. The MoJ said it had not retained records of breaches committed by Courts Service staff before 2008.
About 200,000 public sector staff have regular access to the CIS.
E-mails released to Computer Weekly describe a lax security regime in which the DWP sent computer-generated security alerts to other departments that had access to its database, but did not have processes in place to see they were actioned quickly.
The MoJ said, in answer to an FoI request, that DWP security audits were performed once a quarter. Even then, they were not done to schedule - on one occasion the DWP waited nearly five months before telling MoJ about suspected security breaches.
Security warnings the DWP sent to MoJ in October revealed that one Courts Service staffer had been free to breach CIS security on nine separate occasions.
"I'm afraid there are quite a large number this time," said the DWP security officer when sending the backdated security warnings to the MoJ.
The details were also incomplete. The MoJ did not know when the breaches actually occurred. Yet the security problems were so serious that the Identity and Passports Service was then preparing to ditch the CIS-X as one of three major design components of the ID card scheme.
The e-mails reveal that, despite the warnings, the security arrangements the DWP had established with the MoJ were so vague that security staff were uncertain what they were supposed to do to protect personal data stored in the CIS.
The first record of any attempt by the DWP to warn the MoJ of security breaches was on 29 April 2008, three years after Courts staff were given access.
The MoJ had to ask the DWP what disciplinary steps it should take to deal with people caught snooping in the database. It was also uncertain what terms of CIS use it had agreed with the DWP.
On two occasions, the DWP had to check whether it was sending the security warnings to the right person.
On 22 October 2009, an MoJ IT security analyst sent an e-mail to the DWP Risk Assurance Division asking for help to investigate a Courts Service employee suspected of snooping on the CIS.
"One of the operators appears to have searched for themselves... would you be able to provide a record of other searches made by that operator?" asked the MoJ analyst. "[Their manager] is worried that they might have searched for other members of the office."
Two-and-a-half weeks later, the DWP responded that it was reluctant to help investigate, even though the incident involved a suspected security breach of its own CIS database.
"It is not within the role of RADI [the DWP's Risk Assurance Division Investigations] to procure further evidence on your behalf," said the DWP in an e-mail to the MoJ security analyst on 10 November.
The DWP said that if the MoJ wanted it to investigate the potential security breach, the MoJ would have to fill in the required forms. "The process of obtaining the data may take at least nine weeks," it said.
The MoJ had, by then, conducted its own investigation into the suspected security breach. Further e-mails revealed that there was still no clear idea about how verified breaches should be reported to the DWP.
The e-mails also reveal that in January 2010, the month after CIS was taken out of the ID scheme, the DWP created a new security team. But the first report of suspected security breaches to the MoJ, in the usual form of a spreadsheet, proved inadequate.
On 3 February 2010, the MoJ asked the DWP to "resend the spreadsheet" with information about the location of the Courts Service staff it suspected of breaching CIS security.
"Previous CIS reports have included the user's office, but this does not have it," complained an MoJ IT security analyst in the e-mail. "I need further information in order to contact the relevant HR adviser." The DWP did not have the information, but gathered some location data from another source.
Despite the fact that as long ago as 2006 council workers were being sacked for abusing their right to access CIS, the DWP envisaged CIS-X being the conduit for a vast increase in government data-sharing.
In February 2008, a month before MoJ e-mail records of the DWP's haphazard security system began, the DWP submitted a testimony to the MoJ Data Sharing Review. It said the "extensive" security it used to protect the citizen data on CIS had recently been reappraised, and called for more data-sharing across government. The CIS database could be used, for example, to determine whether people were permitted to get free prescriptions or school meals.
The MoJ subsequently tried to increase the government's data-sharing powers in the Coroner's and Justice Bill. Its retraction of the proposal a year later coincided with the first revelations about the CIS security problems.
The vast majority of security breaches were exposed by warnings generated by the DWP's computerised scans of accesses. Yet when Computer Weekly sought a record of all breaches committed on the CIS last year, the DWP said in an official FoI statement that it could not supply the information because it did not keep records.
The MoJ said it did not keep records of what disciplinary action had been taken against courts staff for breaching CIS security last year. "Where we hold relevant information, three of the users who committed breaches have received final warnings," it said.
Other FoI requests revealed that local authorities had been forced to take disciplinary action against 81 staff for breaching CIS security last year. A further eight people resigned before they could be disciplined and eight disciplinary processes were ongoing.
The National Audit Office reported in November 2008 that CIS had already cost £88m - more than twice its budget - even before the CIS-X work had begun.