Flaw exposes UK visa applicant data online
Technorati Tag: Security Breach
Date Reported:
11/13/07
Organization:
Foreign and Commonwealth Office (FCO) (UK)
Contractor/Consultant/Branch:
UKvisas, VFS Global (a subsidiary of the Swiss-based Kuoni Travel Ltd)*
*UKvisas is operated by the Foreign and Commonwealth Office (FCO), VFS Global which is a subsidiary of Kuoni, was contracted to run the web sites reported
Victims:
Certain overseas UK visa applicants
Number Affected:
as many as 50,000
Types of Data:
"applicants details"
Breach Description:
In May 2007, a journalist reported an information security flaw on a website owned by UKvisas but operated by an Indian company, VFS. An Information Commissioner's Office (ICO) investigation confirmed the unauthorized disclosure of personal information of up to 50,000 visa applicants. There is a report that UKvisas new about the flaw as far back as December, 2005 but chose to do nothing about it.
Reference URL:
UKvisas News Release dated November 11th
vnunet.com News Story
ZDNet News Story
Report Credit:
Channel 4 News (UK)
Response:
From the official UKvisas news release and other online resources cited above:
"The Foreign and Commonwealth Office (FCO) has been found guilty of breaking data protection laws after a security lapse on a visa application website."
"In May 2007 UKvisas were made aware by a journalist of a security breach of a website operated in India on its behalf by VFS, one of its commercial partners. A security flaw meant that applicants’ personal data was viewable by other internet users. UKvisas immediately closed down all VFS-operated online application websites – in India, Nigeria, and Russia."
[Comfyllama] "Immediately" as in May or "immediately" as in after the ICO report in July?
"An investigation by the Information Commissioner's Office (ICO) found that a flaw in the site meant that users could see as many as 50,000 other applicants' details when they logged in."
"On 17 May 2007 Lord Triesman appointed Linda Costelloe Baker to carry out an Independent Investigation of the breach. The Foreign Secretary laid the Independent Investigator's report before Parliament on 26 July. This made a number of recommendations, which UKvisas is implementing."
[Comfyllama] Nothing like being told what to do because you don't know what you're doing.
"The running of the site was outsourced to Indian company VFS, and a customer alerted the FCO to the problem in December 2005. The flaw remained in place, however, and the FCO only admitted to a problem earlier this year."
[Comfyllama] How do you explain this away? Arrogance, ineptitude, and/or negligence?
"On 19 September 2007, Mark Sedwill, Director of UKvisas, signed an undertaking with the Information Commissioner’s Office (ICO) confirming UKvisas’ continuing commitment to comply with the principles of the Data Protection Act 1998. This undertaking was published on the ICO web-site on 13 November."
"The VFS online application websites will not be reopened and will be replaced by visa4UK, the UKvisas online application facility which will be the only online application system used by UKvisas," said the FCO in a statement"
"Mark Sedwill said: “We take data security very seriously – the confidence of our customers and the public in the immigration system is crucial. That’s why we immediately shut down the VFS websites, took other action to prevent breaches elsewhere, accepted all the Independent Investigator’s recommendations, and have co-operated fully with the Information Commissioner’s Office."
[Comfyllama] What about the report of the customer approaching UKvisas in December, 2005? This was reported in "UK government guilty of DPA breach" by Iain Thompson at vnunet.com
"Neither we nor the Investigator found any evidence that the data vulnerabilities were exploited or visas issued wrongly as a result. Nor did the Investigator identify any other significant data protection issues"
"The new contracts we signed with our commercial partners in February 2007 impose stringent requirements for data protection and IT security, consistent with the Information Commissioner’s guidelines"
[Comfyllama] This brings up a very important and valid point. Organizations that possess confidential data MUST ensure that the protections in place at their partners and vendors are as secure or more secure than those employed by the organization. It is a good idea to create and implement a Vendor/Third-Party Security Policy and put security statements in the contract itself.
Information Commissioner's Office Remarks:
"Mick Gorrill, assistant commissioner at the ICO, said: "Organisations have a duty under the Data Protection Act to keep our personal information secure."
"If organisations fail to take this responsibility seriously they leave individuals vulnerable to identity theft and risk losing individuals' confidence and trust."
"We investigate any organisation in breach of the Act and will not hesitate to take appropriate action."
Commentary:
This is a difficult breach to follow.
The FCO organizes UKvisas to handle visa applications, but UKvisas has contracted some online visa processing to an Indian company VFS Global which is in turn owned by a Swiss company, Kuoni. Confusing? It just doesn't seem right.
According the the VFS Global web site (as of 11/15/07):
"Today, VFS Global serves 17 diplomatic missions in 39 countries worldwide, handling over three and a half million applications (contracted) every year. In early 2007 VFS Global was awarded a 200 million contract (spread over 5 years) with UKvisas to provide visa outsourcing services in 7 geographical regions, covering close to about 70% of UKvisas visa applications globally. "
According the UKvisas news release, the FCO/UKvisas agree to:
"The undertaking signed on 19 September is available on the ICO website at www.ico.gov.uk. It includes four main commitments:
Past Breaches:
Unknown
Date Reported:11/13/07
Organization:
Foreign and Commonwealth Office (FCO) (UK)
Contractor/Consultant/Branch:
UKvisas, VFS Global (a subsidiary of the Swiss-based Kuoni Travel Ltd)*
*UKvisas is operated by the Foreign and Commonwealth Office (FCO), VFS Global which is a subsidiary of Kuoni, was contracted to run the web sites reported
Victims:
Certain overseas UK visa applicants
Number Affected:
as many as 50,000
Types of Data:
"applicants details"
Breach Description:
In May 2007, a journalist reported an information security flaw on a website owned by UKvisas but operated by an Indian company, VFS. An Information Commissioner's Office (ICO) investigation confirmed the unauthorized disclosure of personal information of up to 50,000 visa applicants. There is a report that UKvisas new about the flaw as far back as December, 2005 but chose to do nothing about it.
Reference URL:
UKvisas News Release dated November 11th
vnunet.com News Story
ZDNet News Story
Report Credit:
Channel 4 News (UK)
Response:
From the official UKvisas news release and other online resources cited above:
"The Foreign and Commonwealth Office (FCO) has been found guilty of breaking data protection laws after a security lapse on a visa application website."
"In May 2007 UKvisas were made aware by a journalist of a security breach of a website operated in India on its behalf by VFS, one of its commercial partners. A security flaw meant that applicants’ personal data was viewable by other internet users. UKvisas immediately closed down all VFS-operated online application websites – in India, Nigeria, and Russia."
[Comfyllama] "Immediately" as in May or "immediately" as in after the ICO report in July?
"An investigation by the Information Commissioner's Office (ICO) found that a flaw in the site meant that users could see as many as 50,000 other applicants' details when they logged in."
"On 17 May 2007 Lord Triesman appointed Linda Costelloe Baker to carry out an Independent Investigation of the breach. The Foreign Secretary laid the Independent Investigator's report before Parliament on 26 July. This made a number of recommendations, which UKvisas is implementing."
[Comfyllama] Nothing like being told what to do because you don't know what you're doing.
"The running of the site was outsourced to Indian company VFS, and a customer alerted the FCO to the problem in December 2005. The flaw remained in place, however, and the FCO only admitted to a problem earlier this year."
[Comfyllama] How do you explain this away? Arrogance, ineptitude, and/or negligence?
"On 19 September 2007, Mark Sedwill, Director of UKvisas, signed an undertaking with the Information Commissioner’s Office (ICO) confirming UKvisas’ continuing commitment to comply with the principles of the Data Protection Act 1998. This undertaking was published on the ICO web-site on 13 November."
"The VFS online application websites will not be reopened and will be replaced by visa4UK, the UKvisas online application facility which will be the only online application system used by UKvisas," said the FCO in a statement"
"Mark Sedwill said: “We take data security very seriously – the confidence of our customers and the public in the immigration system is crucial. That’s why we immediately shut down the VFS websites, took other action to prevent breaches elsewhere, accepted all the Independent Investigator’s recommendations, and have co-operated fully with the Information Commissioner’s Office."
[Comfyllama] What about the report of the customer approaching UKvisas in December, 2005? This was reported in "UK government guilty of DPA breach" by Iain Thompson at vnunet.com
"Neither we nor the Investigator found any evidence that the data vulnerabilities were exploited or visas issued wrongly as a result. Nor did the Investigator identify any other significant data protection issues"
"The new contracts we signed with our commercial partners in February 2007 impose stringent requirements for data protection and IT security, consistent with the Information Commissioner’s guidelines"
[Comfyllama] This brings up a very important and valid point. Organizations that possess confidential data MUST ensure that the protections in place at their partners and vendors are as secure or more secure than those employed by the organization. It is a good idea to create and implement a Vendor/Third-Party Security Policy and put security statements in the contract itself.
Information Commissioner's Office Remarks:
"Mick Gorrill, assistant commissioner at the ICO, said: "Organisations have a duty under the Data Protection Act to keep our personal information secure."
"If organisations fail to take this responsibility seriously they leave individuals vulnerable to identity theft and risk losing individuals' confidence and trust."
"We investigate any organisation in breach of the Act and will not hesitate to take appropriate action."
Commentary:
This is a difficult breach to follow.
The FCO organizes UKvisas to handle visa applications, but UKvisas has contracted some online visa processing to an Indian company VFS Global which is in turn owned by a Swiss company, Kuoni. Confusing? It just doesn't seem right.
According the the VFS Global web site (as of 11/15/07):
"Today, VFS Global serves 17 diplomatic missions in 39 countries worldwide, handling over three and a half million applications (contracted) every year. In early 2007 VFS Global was awarded a 200 million contract (spread over 5 years) with UKvisas to provide visa outsourcing services in 7 geographical regions, covering close to about 70% of UKvisas visa applications globally. "
According the UKvisas news release, the FCO/UKvisas agree to:
"The undertaking signed on 19 September is available on the ICO website at www.ico.gov.uk. It includes four main commitments:
- The VFS on-line application websites will not be re-opened and will be replaced by Visa4UK, the UKvisas online application facility which will be the only online application system used by UKvisas;
- strategic review of data processing will be undertaken by UKvisas in order to strengthen Data Protection Act risk management processes and a detailed audit carried out of the data processors data security procedures;
- Regular monitoring of the visa4UK website will be undertaken to ensure that the systems in place to provide effective protection against unauthorised access are operating correctly;
- Adequate and relevant data protection training will be given to all UKvisas staff on an ongoing basis."
Past Breaches:
Unknown
Posted by Evan Francen at 11/15/2007 2:22 PM 
Categories: UKvisas, Foreign and Commonwealth Office, Poor Design, VFS Global
Categories: UKvisas, Foreign and Commonwealth Office, Poor Design, VFS Global
Posts Atom 1.0
Comments