The database that will take a central role in the national identity-card scheme has been breached more than 30 times since 2006.
The breaches of the Customer Information System (CIS), which is run by the Department of Work and Pensions, were revealed in a DWP memo to housing benefit and council tax benefit staff on 15 January.
CIS is designed to give local authorities access to citizens' data, including HMRC tax-credit information. In 2006, it was decided that the ID card project would use CIS for biographical information, to avoid having to create a new, monolithic database of the UK's inhabitants.
In the DWP memo, the government department said that desktop access to CIS had helped to "significantly improve service delivery" to citizens, but noted that a series of checks had identified that some local-authority staff were committing serious security breaches using the system.
On Wednesday, a spokesperson for the Department of Work and Pensions told ZDNet UK that 33 such breaches had been identified since 2006, but said the breaches were not necessarily intentional.
"The breaches were not necessarily someone purposely going on there and checking something they shouldn't," the DWP spokesperson said. "They could be inadvertently clicking on information."
The departmental memo reminded local-authority staff of CIS access rules. These are: staff cannot access their own records or the records of friends, relatives, partners or acquaintances; they cannot make enquiries on behalf of colleagues in respect of their friends, relatives, partners or acquaintances; they cannot share their system, Government Gateway or other identity password with their colleagues; and they must not access CIS for any unauthorised purpose.
The DWP's spokesperson did not respond to a request to describe how it might be possible to break these rules by inadvertently clicking on information in the CIS database, but did claim the number of breaches revealed in the memo showed the system was secure.
"The small number of breaches shows that the CIS security system is working and is protected by several different audit and monitoring controls, which actively manage and report attempts at unauthorised or inappropriate access," the spokesperson said.
The security analyst firm NCC Group said on Wednesday that the breaches showed the general inexperience of local authorities when dealing with large amounts of sensitive data.
Pointing out that it was "incredibly difficult" to know the true scale and frequency of such breaches, NCC Group director Ken Munro said in a statement that "central government understands protective marking of sensitive data, and vets staff appropriately, while many local authorities are found wanting in this area".
"Access to data such as this must be purely on a need-to-know basis, and should be carefully logged and reviewed on a regular basis," Munro said. "Personal data is of great use to the identity thief, and taking into account the number of individuals with access to the DWP CIS database, it would not be surprising if a small number could be coerced into extracting information for the needs of fraudsters."
Susan Hall, an ICT specialist at the law firm Cobbetts, said the news of the breaches "must be the final nail in the coffin for the government's national ID card programme".
"If council staff are able to snoop at our records so easily and undetected for so long, then how can an even larger and more complex database be safe?" Hall asked. "It has been reported that 'routine checks' unearthed these cases but if there are breaches dating back to 2006, then they are not proving very effective. Such negligence reinforces the need for custodial sentences for breaches of the Data Protection Act."
Asked whether the fact that it took up to two years for the breaches to come to light meant such events were not being picked up in time, the DWP's spokesperson claimed CIS control systems "actively manage and report attempts at unauthorised or inappropriate access on an ongoing basis".
"Checks are generated after the accesses and are followed up immediately by investigations where no business justification is apparent," the spokesperson added.
Talkback
"The breaches were not necessarily someone purposely going on there and checking something they shouldn't," the DWP spokesperson said. "They could be inadvertently clicking on information."
The above quote, apparently trying to make the issue sound less of a problem actually does the reverse. If they believe these breaches are inadvertent:
A: the system must be utter crap.
B: how easy it must be for someone who really does intentionally hack the system.
"did claim the number of breaches revealed in the memo showed the system was secure." I fail to understand the reasoning as, to me, one breach of the security shows the system is Insecure. A breach can only occur by a physical (hardware or software) error or by a user. If the breaches were by human error then the human interface control is inadequate, whether it is due to the dumb civil servant or the bad interface control. The dumb civil servant can be controlled by dismissal or criminal charges. If it is due to a physical system defect then it must be all systems stop while the bug is found and corrected. Only NO breaches is the acceptable standard and senior executives must personally accept the responsibility.