Government Web site was a soft target

New questions have been raised about the adequacy of security systems on government computers used to administer its £260m...

New questions have been raised about the adequacy of security systems on government computers used to administer its £260m Individual Learning Account training scheme, as evidence begins to emerge of a significant black-market trade in personal training account details.

Touts have been offering lists of illegally obtained ILA account numbers belonging to members of the public who signed up for training, at up to £100 per account, Computer Weekly has learnt.

The numbers, which should have been held securely on the ILA Web site, managed by outsourcer Capita, have been used by fraudsters to claim the £200-a-head grants for training courses that they did not provide.

The revelations come as the Parliamentary Ombudsman began an investigation into claims of maladministration by the Government in the running of the ILA programme. The select committee for education and skills and the National Audit Office will also investigate.

James Eades, operations director at Best Computer Training, one of the largest IT training companies in the UK, confirmed this week that his company had been approached several times by touts offering numbers.

Steve Field, director of Premier Learning Providers, had a similar experience. "We were approached by possibly four or five parties offering different levels of numbers, or saying if we had any students where we had not claimed the number, they could get the number for us."

Evidence has also emerged that some firms were offering bribes to staff in training companies to persuade them to hand over numbers. Lee Wilkes, managing director at IT training company WWWDot Group International, said it had sacked two freelancers for passing numbers to a rival firm.

The existence of the list-selling has highlighted poor security on the Web site, set up by Capita to allow training companies to register students' account numbers in order to claim the £200 training grant for each student.

Training firms said security was so lax almost anyone could gain access to the site, and once logged-on could easily identify unused account numbers by trial and error.

Eades said, " I could go and log myself in as a learning provider, and because the numbers increased sequentially I could earmark the next number in line if it was unused."

Training companies raised questions with the Department for Education and Skills (DfES) about the absence of checks on companies and individuals applying for access to the Web site.

"You need to be able to fill out an A4 form and send them an insurance certificate. You had to have a phone number, though it could be a mobile, and that was it, really," said Eades.

Capita said that learning providers may have misused the site. "A limited number of users may have abused their authorised access and acted in an inappropriate manner. Such behaviour could be viewed as a breach of trust but not a breach of the system," the company said.

DfES said that the account numbers used a checksum system that meant only certain numbers were valid, but declined to comment further.

What the (honest) trainers said

"The Web site was password-protected but it was so easy to fill in a form and, 48 hours later, you easily had access to the training accounts. There was no need for people to prove they had a track record of training"
Roger Tuckett , Henley Community Online

"Some of my centres had people phoning up saying, 'I have got a stack of 1,000 numbers. I will charge you £25 for each of them', hoping our training centre would buy them, log them into the system and claim £200 for each number. This happened about three times"
James Eades , Best Computer Training

"We feel the Government came into the training market with good intentions for ILAs. They have just walked away from it and left it in a bit of a mess."
James O'Brien , Pitman Training

Read more on IT for government and public sector