Now Available:

line

Featured Resources:

line

Realtime Communities

line

Newsletter

Email Address:


line

Monthly Archives

line

RSS

line

Ask the Expert

Have a question for our resident expert? Email your questions to Rebecca.

« Insider Threat Example: Leaked Clinton Memo Provides At Least 5 Good Security Lessons | Main | Handling Complex and Difficult Privacy and Information Security Issues »

Outsourced Company's Unsecure Application Makes U.K. Passport Applicant PII Available to Everyone On the Internet

On May 18 the U.K. Data Protection Commissioner said in a Channel 4 news report he's going to investigate why an online visa application system allowed the personally identifiable information (PII) of around 50,000 applicants from India who had applied for U.K. passports viewable on the Internet.

The online visa applications area for residents from India was taken down soon after the report.

The application security flaw...er, gaping hole...was reported by Sanjib Mitra from India who had used the site and subsequently discovered he could access all the Indian applications that had been made on the site...in April 2006.

"He reportedly emailed the company last year but heard nothing. He emailed the British High Commission, who two months later replied that they would look into it. He then alerted an Internet journalist specialising in computer security."

So, the PII data was available online for at least over a year...possibly longer...and the government took no action upon receiving report of the security flaw.

The site processing was outsourced by the U.K.'s Visas government office to VFS Global, located in India.

U.K. organizations that outsource PII processing to other organizations, including those outside of the U.K., are legally responsible under the U.K. Data Protection Act to ensure the PII will be properly safeguarded.

Apparently the outsourced organization, VFS Global, did not have effective measures in place to ensure security was built into their online application, and they did not test it thoroughly prior to putting it into production.

This is another example of the need for organizations to perform thorough information security program reviews for the organizations to which they are outsourcing PII processing of any kind, in addition to including detailed information security requirements within the contracts.

It will be interesting to see what kind of penalty, if any, is applied to the U.K. Visas department which outsourced the Visa processing to VFS.

Ironically enough, in February of 2007 they had awarded a £297 million ($589 million) project to VFS Global to provide a "global information service to applicants" and establish visa application centers in 50 countries. This even though they had been alerted to the security flaw of VFS Global's online visa processing application a year earlier.

Will they cancel this contract based upon this demonstrated lack of application security capability? We shall see...but likely not...

Tags:                  
 Email This!  Digg it!  Sphere it!  Del.icio.us  Reddit!  Newsvine

Posted by Rebecca Herold on May 30, 2007 9:17 AM |

TrackBack

TrackBack URL for this entry:
http://www.realtime-itcompliance.com/type/mt-tb.cgi/422

Comments

Hi Rebecca

I also blogged about this recently. One of the interesting items that should also be noted regarding VFS Global, the company responsible for the UK visa application site, also processes visa applications for other countries such as the United States, Australia, Italy, France, Canada, Germany, Belgium, The Netherlands, Sweden, Thailand and Ireland. It appears visa applications to those countries were also affected as per http://www.dharwadkar.com/weblog/hack_us_visa.

Posted by: Brian Honan | June 1, 2007 3:18 AM

Thanks so much for the info, Brian!

Wow!!! Talk about a huge hole! Definitely is worth keeping on eye on progress with this...

Others of you can see Brian's post at http://bhconsulting.blogs365.org/wordpress/?p=93

Posted by: Rebecca | June 1, 2007 11:54 AM

Post a comment

(All comments are approved by site leader before appearing here. Thanks for commenting!)

Search

line

Most Active Posts

line

Library Resources

line
line

Recent Posts

line

Categories

line

Rebecca Herold's Bio:

Rebecca Herold,CISSP, CIPP, CISM, CISA, FLMI, has been providing information security, privacy and regulatory assistance and services to organizations from a wide range of industries for over 18 years. Rebecca was instrumental in building the information security and privacy program while at Principal Financial Group, which was awarded the CSI Information Security Program of the Year Award in 1998. IT Security ranked Rebecca as one of the top 59 IT security influencers, and Computerworld put Rebecca their list of the 25 top privacy experts and on their list of the 9 best privacy consulting firms. Rebecca has been CPO for two consulting organizations, and has had her own information privacy, security and compliance business since 2004. Rebecca has written chapters for several books, dozens of articles, and has been writing a monthly privacy column for the CSI Alert newsletter since the beginning of 2001, and is working on her 11th book. Some of her other books include The Privacy Papers, Managing an Information Security and Privacy Awareness and Training Program, The Definitive Guide to Security Inside the Perimeter (Realtime Publishers), The Shortcut Guide to Improving IT Service Support through ITIL (Realtime Publishers), and The Practical Guide to HIPAA Privacy and Security Compliance. In addition, Rebecca is the leader of The Realtime IT Compliance Community where she posts to her IT Compliance weblog. You can contact Rebecca at: rebecca_herold@realtimepublishers.net.