Security Breaches by UKvisas and Commercial Partners
UKvisas, the joint Home Office and Foreign and Commonwealth Office service dealing with applications for visas to come to the UK, has published the Report of the Independent Investigation: Breach of Data Security in the VFS Online UK Visa Application Facility, Operated Through VFS Websites in India, Nigeria and Russia. Linda Costelloe Baker, the Independent Monitor for entry clearance cases without right of appeal, was the Independent Investigator.
The report states:
‘On 21 December 2005, at 18:44 GMT, Mr Sanjib Mitra emailed UKvisas and VFS to warn that applicants using the online system in India could view other applicants' details by changing the number on the URL.’
Similar complaints were made in relation to Nigeria by a different person in 2006. Mr Mitra also complained about India in 2007. The UKvisas website, publishing the report, says: ‘In May 2007 UKvisas were made aware of a security breach of a website operated in India on our behalf by VFS.’
This is the first matter discussed in the report. According to the report, May 2007 was the date when Mr Mitra, making a complaint again, got in touch with journalists about his concerns. The investigation report says:
‘What happened when the technical loophole was first raised in December 2005, what steps were taken to rectify the problem, and the circumstances surrounding the closure of the online visa application facility following the communication by Mr Winder in May 2007...
...The answer to the first question is simple: very little, and what was done was inadequate. VFS took what it thought was adequate technical action . UKvisas accepted VFS’s word and did not pursue the matter further.’
‘Insofar as it is reasonably possible to ascertain this within the framework of this investigation, how secure has the website been and to what extent has data from the website either been stolen or misused...
...The evidence now available confirms that the VFS online application websites have not been adequately secure from start-up until May 2007, when they were closed down. There is no evidence to date that data has been misused other than the unauthorised access noted in this report.’
‘The logs, even with their limitations, suggest that there has been less unauthorised access than first feared. I am quite clear that is more a matter of luck than good management, sound IT skills, or adequate oversight.’
The Independent Monitor states: 'I do think that the relationship between VFS and UKvisas was perhaps too trusting and comfortable.’
VFS also operated online application websites in Nigeria and Russia. VFS are one of UKvisas ‘commercial partners’. In many countries, people applying for visas no longer go to the UK Embassy or High Commission. Instead they go to the office of a ‘commercial partner’ who receives the application and forwards it to the decision-makers at the Embassy or High Commission. Advantages of the system include applicants not having to travel long distances to Embassies and High Commissions and not having to join lengthy queues when they arrive. However, there are matters more important to applicants than personal comfort. One is security, and questions have been asked about whether the use of 'commercial partners' compromises security.
The UK government hopes to make on-line application forms a major part of the Points-Based System it wants to introduce for migration in the UK, and this is one reason why the report will be studied with great care by would-be applicants and their lawyers.
The Independent Monitor states:
‘UKvisas recently obtained an expert assessment of the basic data security provided by the VFS online website. The findings were that the site had many security weaknesses, and that many of these weaknesses were amongst the most understood and documented security concerns in the computing industry. The expert view was that none should be present within a securely designed website.’
She goes on to find that:
‘In addition to these technical assessments, I formed my own view that VFS procedures in relation to passwords for its own data users fell far short of even basic good practice. That view has been confirmed by a recent (June 2007) gap analysis report for VFS in relation to its work in specific visa application centre.’
She has asked the Office of Government Commerce (OGC) to conduct a procurement review of UKvisas' contract with VFS. That report is awaited.
The Independent Monitor records in her investigation that VFS, as a data processor, is not required to register with the UK Information Commissioner, who oversees data protection. Instead, as she explains:
‘It appears as though UKvisas is required to comply with all eight of the data protection principles in its processing of personal data and if it engages a data processor to process personal data on its behalf, UKvisas is responsible for ensuring that the data processor complies with the principles.’
The investigation looks at the contracts in Russia, Nigeria and India. The Independent Monitor writes of compliance with UK Data Protection legislation that ‘the India contract does not deal with the more specific issue of access to VFS’s records by UKvisas as the data controller, in order to ensure compliance.’
The independent Monitor provides an insight into her investigations when she says:
‘There is an understandable tension between those who run the day to day business and who want to get on with things, and those whose role is to ensure the safety and security of IT systems and personal data. There is evidence of that tension in much of the background information provided to me in the course of my investigation. During 2004 and 2005, exchanges between UKvisas’ Posts (not only in India) and headquarters and IT staff, though mostly business like were, on occasion, tetchy. The service providers in Posts wanted haste and to hand over more administrative burden to the outsourcers. Outsourcing companies, including but not limited to VFS, were understandably keen to help in order to grow their businesses. IT and data professionals urged caution, and often needed to explain why simple solutions could not work.’
The Independent Monitor makes a numbeer of recommendations in her report and the Foreign and Commonwealth Office has responded to these. She states:
‘I note the expert view that the VFS online system is so poor that it should be completely re-written - one expert described it as an upside down pyramid, where piling more levels of changes and processes on the top only makes it more likely to fall over. I recommend that the VFS online application system should not be re-opened, though I note UKvisas has already reached that decision.'
The Foreign and Commonwealth Office response confirms acceptance of the recommendation and states that UKvisas now uses only the Visas4UK online application system.
The Independent Monitor writes that: ‘I recommend that UKvisas should continue its series of checks to try to ascertain if there has been unauthorised use of personal data.’ In its response, the Foreign and Commonwealth Office accept every one of Ms Costelloe Barker’s recommendations. They state:
‘UKvisas accepts that a fundamental lesson arising from the Report is that there has to be adequate oversight of commercial partners’ performance, based on a sound contractual arrangement, now in place, and also on expert advice and well-resourced internal management functions.’
The report is written in the style that we have come to expect from the Independent Monitor: clear and very comprehensible. All those interested in the visa application system, the development of the Points-Based system and in what government and its contracting partners can and cannot, and does and does not, do with individuals’ data would benefit from reading the report.