British Visa Data Blunder: Why The Government Shouldn’t Have Your Data

The UK Government has been exposed to a very embarrassing technology related problem – revealing the personal details, and travel plans, of people hoping to visit the UK from India.

A schoolboy programming error on the VFS-UK application site, which exposed the application data details, simply by changing the reference number in the URL, was first discovered by Sanjib Mitra.

He’d been trying to apply for a visa himself when the system he’d taken an hour to type his details into appeared to lose them all. In a desperation to try and retrieve his work he altered the URL. The quote from his blog was actually

About two minutes of twiddling with the VSF Uniform Resource Locator (URL) resulted in the following revelation: Anyone who has ever applied for a UK visa online, have their personal details exposed to everyone on the Internet.

Personal details such as passport number, address, phone numbers, email, family details, work details, salary, clients, real-estate owned, countries you’ve visited, where you’re going and when you’re travelling…the list goes on. Essentially, the entire form, i.e. everything the British High Commission needs to know about you to grant you a visa is available for anyone to misuse. Security is thrown out the window.

Realising the data security implications, he acted to try and stop it.

I sent an email to both VFS India and the British High Commission explaining this serious security issue. After about two months, I heard back from the British High Commission thanking me for the email bringing this to their notice, and promising to look into this matter. A year later nothing has happened.

This was all brought to the attention of the UK, and world media by an article written by Davey Winder.

And it’s costing the UK a fortune
Channel 4 news reported on the TV that VFS had recently been given a £120m contract to handle the applications for the next five years.

What the _hell_ is the numpty that signed off that budget doing? Who pays £120m to handle a simple process?

It’s beyond belief that this kind of process couldn’t have been handled by a UK company for the same or a lesser amount of money.

When I heard about this government paying these huge sums for very little, it further convinces me that the people making these decisions have no real idea of how things in the real world.

The Government can’t be trusted with our data
The UK government bangs on endlessly about personal data security; identity theft being one of the largest risks to our livelihoods; how International terrorists are around every corner just waiting to spring out on us; how we must be constantly vigilant – and all the time is working with companies who don’t have the ability to keep control of data that _is_ sensitive.

What’s more worrying is that they want to build a huge database containing everyone’s Identity information and also centralise all health records.

Where is the record to prove that they can securely handle anything more than the colour of my toothbrush without exposing it?

[Parliament image courtesy of Stephen Dusk]