Government IT training site breaches data laws

The Web site used by the Government to administer its Individual Learning Account (ILA) training programme breaches UK data...

The Web site used by the Government to administer its Individual Learning Account (ILA) training programme breaches UK data protection regulations, legal experts said this week.

Their comments follow revelations that the site, which is still available in Scotland, can give training providers access to the personal details of students who have signed up to the scheme but have yet to register with a training provider.

By mistyping 10-digit learning account numbers on digital forms, training providers can identify unused account numbers and view the names and details of students who have registered for the ILA scheme.

Under the UK's data protection laws, Web sites must provide sufficient safeguards to protect personal data.

"The site is in breach of data protection legislation," said Dai Davis, IT specialist at law firm Naborro Nathanson. "Why can a training provider get access to account numbers? Why are the account numbers not being generated randomly or using a sophisticated algorithm?"

The Department for Education and Skills (DfES) suspended the £260m ILA scheme in December after it received evidence that fraudsters were using the site to claim subsidies for training they were not providing.

Fraudsters exploited poor security on the ILA Web site to cheat the public out of money that should have been used to help them improve their skills.

The full scale of the fraud has yet to be established, but concerns are growing that fraudsters posing as training firms may have walked away with millions of pounds.

The ILA Web site was designed to allow training providers to register students using a 10-digit account number and claim subsidies of up to £200 to train them.

With the help of concerned training providers, Computer Weekly has been able to piece together just how easy it was for fraudsters to abuse the site, which lacked even the most basic safeguards.

The Government and IT supplier Capita, which ran the site, apparently carried out few, if any, checks on training companies applying to access the ILA site.

All firms needed to do was fill in a one-page form giving their name and address, a phone number and proof that their business was insured.

Once on the Web site, fraudsters were able to guess unused account numbers and use them to claim subsidies of up to £200.

One concerned training provider demonstrated just how simple this process would have been by using the ILA site that is still available to companies in Scotland.

Starting with a number roughly in the range of the firm's own account numbers, staff were able to change one digit at a time until they hit on a valid account number. It took less than 10 attempts.

From the first valid number, the company showed that it could generate tens of further valid numbers by changing digits in a simple numeric sequence.

The company's technical director said it took him less than 20 minutes to work out the sequence.

He approached Computer Weekly because of concerns among training providers that the fraud surrounding the ILA programme has damaged the public's confidence in IT training.

Training providers have told Computer Weekly how they were offered lists containing thousands of illegally obtained account numbers, which could have been used to claim hundreds of thousands of pounds from government coffers.

"If you sat down at this system overnight you could have generated 250,000 numbers," the training company said. "This has given the legitimate training companies a very bad name."

The DfES has appointed independent consultancy Cap Gemini to investigate the design of the Web site.

ILA applications: four steps to fraud
How fraudsters could have circumvented security on the ILA Web site to cheat the public out of their IT training subsidies.

Step one: Fill in a one-page form to join the ILA scheme. Give your name, address, phone number and bank account details.

Step two: Log into the ILA Web site using the password supplied by the ILA centre.

Step three: Guess an ILA account number and try it. The site will tell you if the number is invalid. Change the last digit until you hit on a valid number. Other valid account numbers follow in sequence.

Step four: Once you have a valid number, see how much money is in the account. Sell numbers on the black market for £100 each or use them to claim money for training you have not provided.

The site was closed down last year in England. New security measures have been added to the site in Scotland to prevent this sort of abuse.

Read more on IT risk management