Identity and Passport Service fixes online weakness

The Identity and Passport...

The Identity and Passport Service (IPS) has fixed a security weakness in its online passport application progress checking service.

The flaw enabled a separated parent to discover the existence of a child's passport application by using the online service.

The incident was reported to the Information Commissioner's Office (ICO) last year, but made public only recently with the publication of the IPS annual report.

An IPS spokesman said, "Current procedure ensures that the person making the enquiry is now required to supply the unique application bar code reference number."

This number is given only to the parent submitting the application.

Bill Beverley, security technology sales manager at F5 Networks said the incident highlighted the fact that many online security floors are as a result of programming errors.

"Many sites are still constructed with usability and budgets as key considerations and neglect application level security, which would offer protection against such errors," he said.

This simple error could have been avoided, said Beverley, if there had been a security mandate in place to ensure application security best practices were enforced.

"Without further legislation enforced by the government, organisations will continue to overlook security and we could see more sensitive data exposed through neglect," he said.

The IPS annual report said it would continue to monitor and assess its information risks to identify and address any weaknesses.

Planned steps for the coming year included improving security communications and training, and improving incident reporting and incident management information.



Enjoy the benefits of CW+ membership, learn more and join.

Read more on IT risk management

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.