August 31, 2006 10:53 AM PDT

U.K.'s Home Office admits to database breaches

The Home Office has admitted that the security of its ID and passport service database has been compromised several times, but denied that remote hackers were responsible.

In a response to a parliamentary question at the end of last week, the Home Office said it had had five security breaches in five years, mostly caused by civil service staff.

"The security breaches didn't involve people hacking into the systems," a Home Office representative told ZDNet UK on Thursday.

Four of the five incidents involved members of staff accessing the ID and Passport databases for unauthorized purposes. Three used their systems access privileges to conduct checks that were "not connected to their duties", according to an ID and Passport service spokesman, while in the other breach the staff member "misused data he was entitled to access".

In each of the cases "disciplinary action resulting in dismissal was undertaken," with one staff member "resigning before the proceedings came to an end," the spokesman said.

The fifth security breach occurred in a prison service system, when a "technical failure" caused the system to crash. The system has since been replaced, according to the Home Office.

The ID and Passport Service (IPS) said that this does not affect the ID card project, which will involve a massive database of personal and biometric data. Security experts have raised questions about how secure a national identity database linked to the government's ID card plan could be.

"The IPS takes the protection of systems and data very seriously. A range of protection and procedures are in place to prevent the misuse or abuse of official systems and to detect it where it does occur. IPS is committed to investigating any such misuse or abuse, and will deal with it in the strongest manner," the spokesman said.

However, the IPS admitted that the security breaches had still occurred, even with the protection systems in place.

"At the end of the day it's an issue of trust," the spokesman said. "People are security vetted, but trust can be breached. Anyone identified as breaching the system will be treated severely."

Tom Espiner of ZDNet UK reported from London.

See more CNET content tagged:
security breach, spokesman, ID card, database, security

2 comments

Join the conversation!
Add your comment
employees exploiting priveleges
Employees taking advantage of their priveleges is appaling, but not uncommon. Think about the files you share, the email you send... that's supposed to be for your intended recipient only. The FBI reports that "80% of asset misdirection happens when information is exploited by authorized users" (<a class="jive-link-external" href="http://www.essentialsecurity.com/Documents/article23.htm" target="_newWindow">http://www.essentialsecurity.com/Documents/article23.htm</a>) ... so this happening is a common occurence.
What needs to happen is more control, more policies and severe consequences for employees who take advantage of their priveleges. These employees got fired, which is a step in the right direction.
Posted by ml_ess (71 comments )
Reply Link Flag
Security protection from within and outside
The hack from within has always been a threat!!!

It doesn't matter how many times, nor whom, nor whether from remote or not!!!

THE ONLY THING THAT MATTERS is that it was hacked and the data was breached. Something which should have never happened in the first place.

Bottom Line: Security is only as good as it's implemented. Bad security implementations cause problems like this!

Something which NEVER should have happened... BUT DID!!!

Unless the right heads roll on this one... it WILL happen again!!!

Walt
Posted by wbenton (522 comments )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.