DWP struggles to uncover cause of public data breach

A Whitehall department that is to supply some of the key technology for the ID cards scheme is trying to find out how its systems and processes allowed confidential information on up to 26,000 people to be compromised.

A Whitehall department that is to supply some of the key technology for the ID cards scheme is trying to find out how its systems and processes allowed confidential information on up to 26,000 people to be compromised.

More than a week after the Department for Work and Pensions (DWP) discovered that it had accidentally sent bank, national insurance and personal details to the wrong people, it was unable to say why it happened. "The investigation is ongoing," said a spokesman.

The incident shows how an unexpected - and as yet unexplained - weakness in controls, processes or systems, or a combination of these, can allow a department with long-established procedures to disclose confidential citizen data accidentally.

Alexis Cleveland, chief executive of the Pensions Service, part of the DWP, said the failure "should have been spotted sooner".

She added, "We are working very closely with our IT provider to identify who has been affected."

The department told Computer Weekly that the accidental disclosure was a "separate issue" to its work on providing part of the technology for the ID cards scheme.

The National Identity Register - a database of citizens created to support the issuing of ID cards - will use some of the hardware, software and operations capability that is supplied by the DWP for its Customer Information System.

Whitehall officials emphasised that the ID cards database would not use data held in the DWP's Customer Information System - only the system's technology and operational capability. The register will be filled gradually with fresh and verified information derived, for example, from interviews with applicants for replacement passports.

A spokesman for the department said, "With regard to the DWP Customer Information System, there are strict measures in place to protect the integrity of people's data. Access to the information is only allowed where it is legal to do so, and it is restricted to the specific business needs of the customer.

"Specific controls are in place to restrict who can see each field, which manages the risk of unauthorised or inappropriate access."

Other Whitehall officials said that, under proposals for the ID cards scheme, biometric and other personal information would be held on separate databases, making it highly unlikely that someone without authorisation could gain access to both sets of data.

The problems came to public attention after some of those affected contacted the BBC's Today programme.

Tony Collins' IT projects blog
Against the current: exploring the challenges of complex IT projects

Comment on this article: computer.weekly@rbi.co.uk




Read more on Identity and access management products

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.

-ADS BY GOOGLE

SearchCIO

SearchSecurity

SearchNetworking

SearchDataCenter

SearchDataManagement

Close