Authorities faces claims of significant safety and knowledge safety issues in One Login digital ID
The Authorities Digital Service (GDS) was warned by the Cupboard Workplace and the Nationwide Cyber Safety Centre (NCSC) that its One Login digital id system had “critical knowledge safety failings” and “vital shortcomings” in data safety that might improve the chance of knowledge breaches and id theft.
Issues have been subsequently confirmed by an inner investigation led by GDS’s chief data safety officer. However when, quickly after, an MP wrote to the Cupboard Workplace to investigate about potential points across the data safety of One Login, GDS didn’t point out any of the warnings in its response.
In keeping with claims by a whistleblower, lots of the safety issues that have been reported have but to be resolved.
One Login is the federal government’s flagship system for securely accessing on-line public companies and underpins the Gov.uk digital pockets and the digital driving licence launched by expertise secretary Peter Kyle in January this 12 months as a part of his new authorities digital technique.
The whistleblower – who Laptop Weekly has agreed to not identify, however who has a few years of cyber safety expertise and labored in a senior data safety administration position at GDS – first warned GDS leaders of significant cyber safety issues with One Login in July 2022.
He says his warnings weren’t heeded, forcing him 18 months later to write down to his MP to spotlight the problems, citing the 1998 Public Curiosity Disclosure Act which protects civil servants who whistleblow about conditions they imagine to be within the public curiosity. He was subsequently knowledgeable by GDS that he would face disciplinary motion.
On account of his preliminary warnings, then GDS chief government Tom Learn came upon that improvement work on One Login had been offshored to Romania, with out his information or approval and with out first looking for recommendation from the NCSC.
The whistleblower claims that a few of the safety failings he recognized have nonetheless not been addressed and because of this, the knowledge safety of the three million customers of One Login stays in danger.
He cites over two-and-a-half years of reluctance from the GDS digital id staff to totally deal with his issues.
A spokesperson for the Division for Science, Innovation, and Know-how, of which GDS is a component, mentioned: “We’re totally compliant with UK knowledge safety and privateness legal guidelines – together with UK GDPR and the Information Safety Act 2018 – adhere to Nationwide Cyber Safety Centre recommendation and function a 3 traces of defence course of. This ensures knowledge is protected, fraud is deterred and detected, and threats are monitored and responded to.”
Critical safety issues
In July 2022, the month after One Login went reside, the whistleblower suggested GDS senior leaders of quite a lot of critical cyber safety issues within the system – as was his accountability within the job he was performing at the moment.
His issues included:
- The digital id staff had inadequate safety and assurance personnel to offer efficient cyber safety governance and administration;
- No threat or menace evaluation for One Login had been carried out;
- There have been no information to point out that safety obligations and necessities had been recognized;
- No data safety administration system had been put in place;
- Inadequate safety monitoring, together with areas of concern similar to indicators of compromise and the variety of folks with privileged entry to the reside manufacturing system.
The whistleblower additionally reported that system administration was being carried out by means of non-compliant gadgets with a threat of transmitting safety vulnerabilities, similar to malware or phishing assaults, that might compromise the reside system.
The NCSC recommends that system administration for key authorities companies ought to be carried out from a devoted gadget used just for that objective, often known as a privileged entry workstation (PAW), or alternatively to make use of solely “browse down” gadgets, the place the safety stage of the gadget is all the time the identical or larger than the system being managed. The whistleblower warned {that a} lack of PAWs and use of browse-up administration have been vital dangers.
As a part of his proposals to handle these points, the whistleblower additional claimed that the enterprise case for One Login, which was used to approve over £330m of spending on the challenge, included deceptive statements concerning the safety method taken for the system and that cyber safety dangers weren’t adequately assessed.
He really helpful to GDS leaders that the Nationwide Audit Workplace (NAO) or the Infrastructure and Tasks Authority (IPA) – the ultimate arbiters of data assurance within the civil service – ought to be knowledgeable. His suggestion was rejected.
In keeping with civil service tips, each IT system ought to have three ranges of data assurance – first, by the staff growing the system; second, by means of unbiased assurance from civil service specialists exterior the staff; and third, from the NAO or IPA.
Useful observations
In an electronic mail to GDS leaders in August 2022, director of digital id Natalie Jones – the senior accountable proprietor for One Login – admitted that the whistleblower’s report about data assurance points on One Login contained “quite a lot of useful observations and proposals” and in addition acknowledged the necessity for the three ranges of structured assurance,
Nonetheless, in reply to Jones’ electronic mail, then GDS chief government Tom Learn questioned the position of the GDS data assurance (IA) staff that supplied the second-level unbiased overview operate, saying that “the times of getting a separate ‘judging, assessing and blocking’ IA staff ought to be lengthy gone, and built-in engineering/safety (dev/sec/ops) has been greatest observe for some years”.
Fourteen months later, following the appointment in October 2023 of a brand new chief data safety officer (CISO) at GDS, the interior IA staff was disbanded and moved into a brand new Info Safety staff.
One other facet of the whistleblower’s July 2022 recommendation to GDS leaders raised questions over the usage of offshore software program improvement for One Login, supplied as a part of a contract with Deloitte.
In the identical electronic mail from Learn, the CEO mentioned he was “uncomfortable that that is how I discover out we’ve determined to offshore dev work. I might count on this to come back to me for recommendation or a choice, together with recommendation from NCSC”.
Information safety failings
In November 2022, GDS was advised by the Cupboard Workplace knowledge safety officer (DPO) that One Login had “critical knowledge safety failings” and that the reside service ought to be suspended pending decision.
In a report back to Jones, the DPO made 11 suggestions to handle the dangers he recognized with the One Login service at the moment.
He mentioned the preliminary draft of the obligatory knowledge safety impression evaluation (DPIA) for One Login “didn’t adequately establish and supply mitigations for key dangers earlier than the reside service and app have been launched. These dangers embrace the lawful foundation relied on for biometric knowledge, the authorized prohibition of automated processing – and particularly the prohibition on automated processing primarily based on particular class knowledge, similar to biometric knowledge, with out specific consent – and the failure to reveal the processing of particular class knowledge”.
The DPO additionally questioned whether or not the One Login staff had adequate discussions with the Info Commissioner’s Workplace (ICO) over the dangers recognized.
“These dangers remained excessive publish the mitigation measures recognized within the DPIA, and this could subsequently have triggered the authorized obligation to conduct a statutory prior engagement with the Info Commissioner earlier than the service went reside. Whereas I perceive that there was some engagement with the ICO, this might not be adequate to discharge this obligation,” he mentioned, in his report back to Jones.
On the time, about 300,000 person accounts had been created in One Login – at this time there are greater than three million. In keeping with the whistleblower, GDS paid for an exterior lawyer to make a counterargument that the service was compliant in an effort to stop its suspension.
A compulsory DPIA has nonetheless not been printed, regardless of the system being reside for greater than three years.
Extreme shortcomings
In September 2023, the NCSC wrote to Jones, saying that One Login had “extreme shortcomings” in its cyber safety, figuring out “top-level dangers” together with “bulk private knowledge breach” and “threat of impersonation resulting in mass fraud”. The NCSC concluded that “the present design and working procedures of the system go away vital dangers”.
The next month, the whistleblower wrote to the then GDS chief working officer (COO) to additional spotlight his issues, stating that the safety points he had recognized the earlier 12 months had not been resolved.
He supplied the COO with additional knowledge that confirmed over half 1,000,000 vulnerabilities referring to safety and resiliency inside the reside One Login service, of which over 10,000 have been thought-about “vital” and over 7,000 as “excessive”. The majority of the vulnerabilities – over 475,000 – have been classed as “medium”.
He raised extra points round data assurance. Assurance for One Login was performed by an exterior consultancy, 6point6 – now a subsidiary of Accenture – which he mentioned represented a battle of curiosity as a result of the corporate can also be one of many essential suppliers for growing One Login. Moreover, he mentioned the 6point6 staff was refusing to share vital data with GDS’s second-line assurance operate.
To today, the whistleblower claims that the one threat assessments for One Login have been carried out by 6point6, and no unbiased threat evaluation has been accomplished, which fits in opposition to civil service steerage.
Excessive stage of threat
Subsequently, in November 2023, the newly-appointed CISO, Breandan Knowlton, wrote to Learn and Jones confirming One Login was “certainly carrying a excessive stage of threat”. He listed a sequence of issues, which included:
Safety clearance of personnel. In keeping with earlier claims by the whistleblower, workers with out adequate safety clearance had accessed the reside manufacturing atmosphere – containing knowledge and code – over 6,000 occasions in a single month, together with Deloitte workers primarily based in Romania, which he described as “indicative of an unstable and poorly secured service”. He additional claimed that 39% of manufacturing directors didn’t have the suitable “safety examine” (SC) stage of safety clearance, regardless of being liable for dealing with “thousands and thousands of residents’ delicate private knowledge”.
Software program engineering groups primarily based overseas – described by Knowlton as “irregular” for a authorities service, acknowledging that even the “fairly small” variety of offshore builders “nonetheless represents a threat”.
Direct manufacturing system entry, with Knowlton saying the variety of folks accessing the reside system was “troubling”, and indicated “a failure of automated sociotechnical safety controls and tooling”
Alerting – acknowledging that “automated tooling can establish a firehose of potential vulnerabilities” which Knowlton believed the digital id staff had “a deal with on”, however added, “the present threat is more likely to stay excessive”.
Safety tradition – with Knowlton saying that “safety is at the moment taken critically,” however including that “the intense supply stress could also be placing stress on the programme to overreport present safety readiness”.
Knowlton reported that “remediation plans [are] in place to handle safety and technical debt,” however concluded that, “If upon overview by the DI [digital identity] staff the vast majority of these issues are evidenced and stay unaddressed, the safety posture of the DI service might be deemed to fall exterior of acceptable GDS and DI thresholds”.
Pissed off by inaction
In January 2024, pissed off by what he noticed as inaction from GDS, the whistleblower wrote to his MP, James Sunderland, about his safety issues, citing whistleblower safety legal guidelines, and his MP wrote to Cupboard Workplace minister John Glen requesting a response.
On 5 February 2024, GDS initiated disciplinary motion in opposition to the whistleblower.
On 8 February, Jones wrote to minister Glen in response to the allegations raised by the whistleblower in his letter to his MP. She included background details about the whistleblower and his latest historical past in GDS.
“This civil servant made very comparable claims internally in 2023, which have been totally investigated and actioned on the time. His restated assertions don’t seem to mirror the extra safety measures applied by One Login through the intervening interval, as a part of the programme’s dedication to steady enchancment,” Jones wrote.
“The broader points related to the worker who has raised the problem sharing delicate data externally are being investigated by means of the Civil Service’s personnel and safety channels.”
Her responses to the claims over safety issues mentioned that “cyber safety, resilience and knowledge assurance have been amongst the programme’s highest priorities since its inception”. She defined the programme’s “strong method” to safety and refuted the precise factors that had been raised:
Jones’ response to Glen concerning the particular factors raised by Sunderland have been:
Sunderland: What number of people with out nationwide safety vetting to SC had privileged entry to the reside service inside the manufacturing atmosphere, enabling them to make modifications or entry knowledge at will?
Jones: “During the last six months, now we have strengthened One Login’s processes for onboarding new recruits and for granting entry to the manufacturing atmosphere (ie. to the reside system’s code and demanding software program tooling). All One Login workers, regardless of nationality, are required to endure a minimal of [the government’s] Baseline Personnel Safety Commonplace (BPSS) or equal checks earlier than beginning work. No ‘unchecked’ international nationals have been, or are, employed on the programme.
“Roles that want manufacturing entry require Safety Test (SC) vetting. An audit in December 2023 recognized 172 folks with manufacturing entry; we’re frequently looking for to scale back this cohort to its smallest viable dimension whereas nonetheless sustaining the resilience of the system. Named people might also be granted restricted entry, on a case-by-case foundation and if permitted by a senior civil servant, in the event that they maintain BPSS and are present process the SC course of. 22 individuals are at the moment on this class, however you will need to word that their work have to be permitted by an SC-cleared member of the staff earlier than it turns into a part of the One Login technical answer.
“A variety of controls are in place, even for SC-cleared personnel. As an example, code modifications are topic to automated testing and two-person checks. Databases containing account particulars are encrypted. Entry to delicate knowledge shops is restricted and guarded by computerized monitoring, with any alerts despatched to each the One Login safety staff and the Cupboard Workplace’s cyber monitoring operate.”
Sunderland: What number of safety vulnerabilities have been detected within the reside service by guide and automatic safety assessments, together with these needing additional investigation?
Jones: “The One Login staff frequently exams and checks the system to minimise vulnerabilities… All recognized vulnerabilities are investigated, prioritised and remediated. As a part of this method, in August 2023 the programme assessed One Login in opposition to 32 safety and operational greatest observe tips, starting from high-level ideas to granular requirements in areas similar to governance, cyber safety, monitoring and resilience. This train recognized a variety of findings that have been repeated throughout a number of manufacturing accounts, resulting in an artificially massive variety of potential vulnerabilities (which was the supply of a few of the worker’s authentic issues). As soon as the duplicates had been eliminated, nonetheless, they have been categorised as eight vital, 34 excessive, 25 medium and 21 low findings. Of the eight highest precedence conclusions, one was a false constructive, two have been totally addressed and the remaining 5 are at the moment being remediated. All the remaining findings are additionally being triaged and addressed.”
Sunderland: The variety of events per thirty days when methods underpinning the reside service have been instantly accessed by workers and contractors?
Jones: “It’s crucial and vital for named workers to have the ability to entry One Login’s reside system, to make sure its clean and strong operation. That is managed, logged and monitored, with automated alerting within the occasion of unauthorised, out of hours and/or unusually frequent entry. In January 2024, people accessed the manufacturing atmosphere a complete of 6,222 occasions. That is in keeping with anticipated ranges for a system of One Login’s complexity. Any unapproved entry to the system can be totally investigated. The One Login safety staff often carries out menace modelling and purple teaming workouts to map out how a ‘dangerous actor’, whether or not inner or exterior, might attempt to infiltrate or assault the system. The findings are then used to strengthen additional the system’s design and protections, together with in order that the impression of any compromise can be restricted and ineffective.”
In keeping with the whistleblower, the variety of occasions cited for the manufacturing atmosphere being accessed was unusually excessive – by comparability, he quotes figures for an additional GDS service, Gov.uk Notify, which processes one billion messages per 12 months however in a mean month he says Notify sees full-privilege interactive entry simply 10 to 12 occasions.
Sunderland: From a cyber safety perspective, what was the IPA made conscious of of their overview, when and by who?
Jones: “Now we have a really constructive relationship with the IPA which, in line with One Login’ s standing as a authorities main challenge, has undertaken three unbiased critiques of the programme. The newest was in November 2023. We shared with the IPA the entire in depth documentation it requested, and the overview staff held candid interviews with personnel from throughout the programme – together with One Login’s senior staff and the pinnacle of safety – and in different authorities departments. The IPA’s report made quite a lot of suggestions, which we’re at the moment reviewing, however recommended the programme on its openness, supply progress and the rising maturity of its reside operations.”
Jones drafted a response to Sunderland that additional summarised some parts of the knowledge she supplied to Glen. In neither letter did Jones point out the sooner warnings from the Cupboard Workplace DPO, the NCSC, or the GDS CISO.
Following steerage
GDS maintains that it follows civil service and NCSC steerage on safety and knowledge safety. The One Login programme employs a staff of safety specialists, with extra scrutiny and assurance supplied by GDS’s CISO, the Cupboard Workplace’s central cyber groups and the NCSC.
A Menace Intelligence and Counter Fraud staff in GDS goals to make sure product options are counter-fraud by design and proactively monitored to research and intercept fraudulent exercise.
GDS is assured in opposition to trade greatest observe steerage and says it often engages with the Info Commissioner’s Workplace, in addition to conducting common threat assessments and safety testing.
GDS follows the GovAssure course of and says it accomplished a Cyber Evaluation Framework safety train in 2024, with continued work and collaboration with NCSC on future mitigations.
Issues not addressed
Nonetheless, the whistleblower claims that the GDS digital id staff is the exception in having no person from GDS’s inner safety staff to advise on data assurance – he says each different GDS service follows this precept.
He says GDS has “eliminated unbiased assurance of cyber safety” from One Login, regardless of civil service guidelines mandating that such assurance ought to be supplied from exterior the event staff.
He claims that GDS has suppressed the NCSC’s warnings and that there is no such thing as a proof that every one the safety issues he recognized have been totally addressed.
Laptop Weekly requested GDS if all of the One Login safety and knowledge assurance points that have been raised – together with the DPO and NCSC issues – in addition to the dangers subsequently confirmed by the GDS CISO, have been totally addressed and resolved, however GDS didn’t present a response to that particular query.
We additionally requested what dangers stay to the info safety and knowledge safety of the three million-plus customers of One Login, however GDS didn’t reply that particular query both.
