Foreign office minister Lord Triesman has pledged an independent inquiry into a security flaw on a website used to apply for UK visas that made personal details of applicants easily accessible to hackers.
The online UK visa application website for people in India, Russia and Nigeria is provided by VFS Global, a commercial partner of the joint Foreign Office and Home Office agency UKVisas.
A statement on the UKVisas website says the VFS site is “currently unavailable” due to a “technical problem”.
But Triesman acknowledged the seriousness of the security breach, saying: “Security is paramount in our visa system. We will conduct an immediate, thorough and independent investigation into this reported breach of one of our commercial partner’s systems. The outcome will be made public.”
The government is particularly sensitive to website security breaches just days after health secretary Patricia Hewitt announced that the NHS’s online system for junior doctors to apply for specialist training posts would be axed. The announcement was sparked by a security breach that saw the personal details of hundreds of doctors made available online through the Medical Training Application Service website.
Triesman emphasised: “The VFS is not a government website or connected to any UK government information system or website. No government website has been compromised.”
The security breach was highlighted by Davey Winder in a post on his technology blog. Winder described how a security hole first found a year ago had not been fixed.
“I was able to manipulate the data URL simply by changing what appears to be the date on which the application was made along with a sequence number,” he wrote.
“Doing this, entirely at random, brings up the visa application details of people ranging from someone who applied yesterday through to some who applied a year ago and I have the screenshots to prove it.”
In March, UKVisas signed a £140m outsourcing deal with CSC that will see the IT services firm establish three regional visa application centres covering 15 countries as well as providing multilingual call centres and websites in another 87 countries.
CSC will also be responsible for capturing biometric data on all visa applicants, including photographs and fingerprints.
UKvisas’ own Visa4UK website is not affected by the security breach and is operating normally in the countries where it is available.