Sackings mount over DWP data leaks

DWP CIS security breaches - FOI - 23 MAR 2012.pngPublic bodies have sacked at least 120 staff for abusing their access rights to the Department for Work and Pensions’ Customer Information System, a government database containing details of every citizen in the country that will be at the heart of the coalition government’s Universal Credit benefits system.

DWP admitted the latest sackings to Computer Weekly as Channel4 closed a year-long investigation into cowboy private investigators who steal private data from government databases for cash. A Channel4 Dispatches documentary, aired last night, revealed how the rogue operators in the burgeoning security industry were getting illegal access to personal data stored in government databases. Undercover reporter Chris Atkins bought with just a few hundred pounds data about people’s state benefits, health complaints and criminal records.

Local Authorities sacked 46 staff between January 2010 and March 2012 after they were caught abusing their rights to access the DWP database, Computer Weekly can reveal exclusively.

DWP itself sacked 57 staff in the two years to March 2012 after they were caught snooping for personal data in their own system, the department told Computer Weekly in answer to a Freedom of Information request.


The revelations bring to 120 the total known DWP database sackings since 2007. But this could be just the tip of the iceberg. DWP has disclosed information about only a small portion of those staff with access to the CIS. Having previously ignored requests for information about members of its own staff caught snooping, it has now revealed only those who were caught in the last two years.

The DWP citizen database is used by at least 200,000 people across almost the whole of central and local government. The DWP told Computer Weekly, as it has repeatedly since 2009, that it cannot reveal the full extent of data breaches on its national database because it does not “keep central records”. HM Revenue & Customs, which employs a staggering 80,000 people, has refused access to information about any of its staff caught abusing their rights to access the DWP database.

Channel4’s investigation found in response to another FOI that the DWP had, aside from sackings, disciplined 992 of its own staff in 10 months for breaching security of the CIS – five people every day. Full exposure of breaches and sackings at DWP and HMRC, which are merging their computer systems to form the Universal Credit benefits system, might damage the credibility of the flagship coalition programme.

Three years after Computer Weekly exposed the problem, local councils are still sacking people at the same rate. They have been forced to sack five staff on average every three months for snooping on on the CIS. Between January and March 2012, they sacked seven. Those sacked have been caught looking up celebrities, neighbours, family members, colleagues and acquaintances.

Channel4 Dispatches - Watching the Detectives - Chris Atkins undercover camera.jpegSpooks

The Channel4 documentary exposed a private investigator who bragged and then followed through on a claim that he could use an “internal contact” to get people’s personal data for cash.

Stephen Anderson, director of Crown Intelligence and Security Limited, dredged up personal information about activists the undercover reporter said were causing a nuisance for a retail corporation. For £500, Anderson retrieved detailed records about claims for state benefits made by James Leadbitter, a climate change and anti-capitalist activist from Burnley.

On discovering illegal data breach, Leadbitter told the programme: “I feel sick. Why don’t they just break into my flat and go through my stuff…I would struggle to get that information out of the DWP.”

The source of the data was unconfirmed. The investigator did not reveal whether he used his inside contact or blagged the information by pretending to be someone he wasn’t. The benefits data may have come from local authority databases or the DWP CIS. Further investigation not shown in the programme revealed that someone had been trying to blag data from a DWP call centre. It looked like the investigators were testing various well-trod routes to the data.

DWP claims the sackings prove its security checks are adequate: they catch staff who look up information they shouldn’t. It records and tracks details of staff accesses on the system. It said the benefits data obtained by Channel4 did not come from DWP.