Alleged flaws with GOV.UK’s One Login system have surfaced three years after it became operational.
The Government Digital Service has lauded the system for successfully verifying 1.8 million people’s identities since August 2023, but now a whistle blower from GDS has broken their silence highlighting concerns raised around the shortcomings of the system’s data protection. The problems have been confirmed through an internal investigation by GDS’s Chief Information Security Officer.
The employee, who works in information security, remains unnamed in the expose article, claiming they wrote to an MP after inaction to investigate the potential problems. An MP addressed the claims with the Cabinet Office, however, the GDS did not disclose its knowledge about prior warnings.
The whistle blower claims the potential problems around the information security of One Login – reported to GDS executives in July 2022 – are yet to be resolved.
One Login is the government’s interoperable onboarding system, which will underpin the GOV.UK digital wallet later this year.
A spokesperson for the Department for Science, Innovation and Technology confirmed they are fully compliant with the UK data protection and privacy laws – including UK GDPR and the Data Protection Act 2018.
He claims a backlog of concerns with the system including a lack of security personnel providing effective cyber security management, no records of security requirements or risk assessments carried out.
Natalie Jones, GDS Director of Digital Identity, commented on useful “observations” raised in the whistle blower report. However, in responding correspondence, GDS chief executive Tom Read argued that the function of information assurance (IA) teams within GDS, providing secondary review and manual processes, were dissolved, allowing for automated security alerts. “Integrated engineering/security (dev/sec/ops) has been best practice for some years”, ComputerWeekly.com reported. The internal IA team disbanded in October 2023 and merged with the Information Security team.
Concerns raised about One Login date back to November 2022, according to ComputerWeekly.com.
