The data of millions of people in Britain is at risk as a result of significant cybersecurity issues with the government’s planned Digital ID, multiple whistleblowers have warned.
The whistleblowers, who have shared confidential documents and emails with ITV News to back up their claims, are senior civil servants involved in the development of the One Login technology, which will form the basis of Digital ID.
They have asked to remain anonymous to protect their careers.
One of the civil servants fears the problems could lead to “the worst data breach in UK government history”.
One Login is already used by 13 million people in the UK for a variety of government services, including managing a state pension, cancelling a lost passport and registering as a teacher or social worker.
The government has confirmed it will form the basis of Digital ID, which will become mandatory for all adults by 2029. The planned ID will be stored on a ‘Digital Wallet’ on an individual’s phone and contain their name, date of birth, nationality or residency status and biometric data (a photo).
Whistleblowers have told ITV News that One Login is failing to meet the mandatory, minimum government cybersecurity standards, ‘Secure by Design’ and the ‘Cyber Assessment Framework’.
People without the expected level of security clearance have been able to access the heart of the system, including staff in Romania who were hired to carry out some of the development.
There are concerns that system administrators have been using unsecure devices, creating the potential for a pipeline between bad actors on the internet and the most sensitive parts of digital ID.
A whistleblower told ITV News that hackers could target vulnerabilities in the One Login system.
“The vulnerabilities are standard things you must not do, but they’ve been done,” one of the whistleblowers told ITV News.
“It would not take any creative thinking for a state actor or organised crime to target the vulnerabilities in digital identity.”
Highly sensitive documents leaked to ITV News by another whistleblower show some of these concerns were investigated within the Government Digital Service and they found that “the programme is indeed carrying a high level of risk”.
The National Cyber Security Centre, which advises on secure digital practises, found One Login carried the risk of:
- bulk theft of personal data
- identity theft
- the government being defrauded
- economic damage
- people in witness protection, intelligence agents and foreign dissidents being identified
“We have proved it can be compromised”: A testing team was able to access sensitive areas undetected. If this were happen as part of a real attack, a whistleblower says this could have widespread repercussions for everyday people.
Multiple sources have told ITV News that during a ‘red team’ exercise (a standard security test) earlier in the year, a major security flaw was uncovered.
A remote attacker was able to introduce malware onto a device used by a system administrator and gain access to sensitive parts of One Login without triggering an alert on the security monitoring system.
As the service is already live, the whistleblowers say it is theoretically possible that a state actor like Russia or China, or organised crime groups, could have already gained access to One Login without the government knowing.
“We don’t know if the system has been compromised or not, but we have proved it can be compromised,” says one of the whistleblowers.
“The maximum damage that I can conceive is that [the government] allow digital identity to continue to roll out and onboard all government services and then at a time of [a bad state actor or criminal’s] choosing, they deny access to the services.
“That would shut everybody out of attempts to claim their pensions, welfare benefits, renew their passport, get a driving license, everything.
“I’ve risked my career to speak to you because I’m extremely concerned about it.”
ITV News repeatedly asked for an interview with the Secretary of State for Science, Innovation and Technology, Liz Kendall, whose department oversees One Login and Digital ID.
We were told she was unavailable for an interview.
Instead, we received a statement, attributed to an unnamed UK Government Spokesperson, which reads: “Protecting user data and the integrity of government systems is always our highest priority.
“We work continuously to monitor, and defend against, all threats, and work closely with the National Cyber Security Centre which provides advice to the programme on a wider range of cyber security matters,” the statement says.
“Our personnel hold the relevant levels of security clearance for their role, and we carry out regular, independent security testing as the public rightly expect, taking swift action whenever possible vulnerabilities are identified.
“Our security model involves multiple lines of defence and continues to provide a secure and trusted way for millions of people to access government services.”
In response to claims the red team was able to access the service without triggering a security alert, the statement says: “When after several weeks of testing the red team were unable to infiltrate or compromise the system during the exercise, we deliberately created a simulated scenario which gave them access to the system and enabled us to further test security.”
It should be noted that it is normal practice for a ‘red team’ to be given access to a system to test the strength of its security and monitoring. The concern raised by whistleblowers is that this went undetected by the security systems.
Follow STV News on WhatsApp
Scan the QR code on your mobile device for all the latest news from around the country
