Programming errors at the heart of the data breach at the Identity and Passport Services (IPS) could have been avoided, says F5 Networks.
The problem emerged when a parent told the IPS that they had discovered the existence of their child's passport application when using an online checking service. The incident was reported to the Information Commissioner's Office (ICO), which advised the IPS to request the unique application reference number from anyone wishing to check the progress of a passport application.
Bill Beverley, security technology sales manager, F5 Networks, said: “This isn't the first, and it certainly won't be the last time, that security flaws arising from programming errors are uncovered in government websites. Many sites are still constructed with usability and budgets as key considerations and neglect application level security, which would offer protection against such errors.
“Weak programming allows users to manipulate URLs and gives rise to this and other attack forms, such as the recent crop of SQL injection attacks. This simple error could have been avoided if there was a security mandate in place to ensure application security best practices are in place and adhered to. Guidance measures such as the Payment Card Industry (PCI) directive are successful because a) they are enforceable by an overseeing body and b) provide effective and comprehensive methodology to protect data across an industry.”
F5 Networks also called on the government to extend institutions such as the Centre for the Protection of National Infrastructure (CPNI) to other public service organisations.
Beverley added: “Without further legislation enforced by the government, organisations will continue to overlook security and we could see more sensitive data exposed through neglect.”
In the meantime, the IPS has said that it will continue to monitor information risks and identify any weaknesses.