14 DAY TRIAL // The British Mail on Sunday newspaper reports that it came into possession of a USB stick containing the source code of the government's Gateway system as well as personal details of some of the service's registered members. The USB stick was lost outside a pub in Cannock, Staffordshire, by an employee of Atos Origin, the company which won a government contract in 2006 to administer the Gateway service for a period of five years.
The Government Gateway is an online system that allows people and organizations to register and access numerous services supplied by governmental departments. For example, the system is used, amongst others, for tax and VAT returns, child benefits, pension entitlements and it's estimated that 1.8 million people have used it for these services in 2008 alone. The extent of personal and financial information stored in the system is impressive and could represent a treasure-cove for identity thieves.
The USB device was lost by a 29-year-old IT analyst working for Atos Origin, a computer management firm which won several government contracts. The memory stick was found by someone in the parking lot of a local pub in Cannock, but the news paper reports that it came in their possession after a week since its discovery. The data contained on the device included the source code and a technical layout of the Gateway system and samples of registered accounts.
As a result of the security breach, the Gateway website suffered a temporary downtime as an investigation was launched to solve the incident. The government later restored functionality of the system after concluding that the data contained on the USB device did not compromise its security as the account login credentials were encrypted, no financial records were stored and the source code was old.
“Passwords are hidden using an industry standard technique which is difficult to break. We believe the risk of someone accessing personal data in this way is extremely low,” commented a Department for Work and Pensions spokeswoman for the Mail on Sunday. However, security professionals disagree, saying that the particular encryption can be cracked and that the source code, even if a few months old, still poses a huge security risk combined with the detailed technical chart as it would give an attacker precise directions of what to potentially exploit in order to gain unauthorized access to the entire system.
This security breach comes after a long series of similar government related incidents that had the potential to compromise or did compromise personal and financial records of millions of UK citizens. We reported several of these, originating both in the private and public sector. They include the theft of three USB hard drives containing personal details of military personnel from a secure location, the loss of personal information of 100,000 UK convicted criminals by government contracted firm PA Consulting or the loss of records on 25 million people by the HMRC, the British department responsible for tax collecting.
UK's Information Commissioner, Richard Thomas, has recently disclosed that “the number of data breaches reported to my office has soared to 277 since November 2007". He added that "there have been 28 breaches by central government; 75 within the NHS and other health bodies; with 80 reported in the private sector," with 30 of the most serious incidents currently being under investigation.