An investigation into a security bug on a website used to apply for UK visas has painted a damning picture of “organisational failures” by a government agency and its contractor.
The online UK visa application website for people in India, Russia and Nigeria was provided by VFS Global, a commercial partner of the joint Foreign Office and Home Office agency, UKVisas.
Ministers pledged an inqiury after the site was closed down in May following publicity over the security bug – which made personal details of visa applicants easily accessible to hackers.
The report by independent investigator Linda Costelloe Baker slams UKVisas’ outsourcing of the online service to a firm that is not an IT specialist, the contractor’s performance and the failure to respond adequately when the security hole was first revealed by Indian national Sanjib Mitra in December 2005.
There had been “inadequate central control of the moves to outsourcing”
and contracts had paid “insufficient attention to the requirements of the Data Protection Act and to basic IT security”.
Costelloe Baker added: “UKVisas was undoubtedly relieved to have the practical administrative assistance provided by outsourcing, but it did not obtain adequate third party or expert assurances that the VFS IT system was robust, even before VFS was allowed to start up an online system.”
UKVisas should have made its expectations clearer, Costelloe Baker said, and the contracts drawn up by UKVisas “lacked specificity”.