Universal Credit at high risk of cyber-attack, fraud from the outset

Documents released after a four-year legal battle reveal the extent of the UK government's blithe disregard for the risks faced by Universal Credit.

This week, internal reviews of the enormous project in 2011 and 2012 were published by the Department of Work and Pensions under Freedom of Information laws.

The dossiers reveal a department obsessed with meeting unrealistic targets and consequently failing to plan for key aspects of the programme – in particular cyber-security and fraud.

In 2012, the Major Projects Authority stepped in to reset the programme after finding "serious concerns about the department having no detailed 'blueprint' and transition plan for Universal Credit."

The highest risk factor of the programme appears to be a lack of a cyber security mitigation for the project, which intends to roll six benefits into one with claimants expected to apply online. On a scale of 1-5, with five being most likely, the cyber risk was rated a four.

The review said: "Given universal credit represents a high-value asset, exposed on a widely accessible potentially high-vulnerability channel, there is a high risk of cyber attacks leading to the non-availability of UC through the online channel."

Fraud was also named as a high risk factor, with a likelihood rating of four. The document said: "If adequate prevention and detection and technical controls are not built in the UC solution, fraudulent activity may be successfully perpetrated against UC leading to significant financial loss."

One expert in public sector risk reports told The Register: "If I saw a rating as high as this, it would need to be fixed very quickly or I'd recommend the project to be stopped."

He added: "The risk assessments were still very high when this document was produced – far too high to proceed to implementation. Unless they were radically reduced it is not surprising that the project was halted and reset."

John Slater, who has been campaigning for the release of the review, said the report was indicative of a "programme out of control, utterly focused on a 'go live' date and senior people not engaging their brains."

Back in in 2011, the Cabinet Office noted that the DWP elected to use an iterative "agile" approach toward the delivery of universal credit because of the challenging timetable.

"There is no evidence of such a methodology being used on a public sector programme of such scale, and during the course of the review it was evident that there had been some initial scepticism to the use of such a methodology with a programme of this scale," it said.

Slater added: "The risks highlight the absence of appropriate quality assurance activities on the universal credit programme. Regardless of whether agile or other methodologies were being employed by the UCP, appropriate assurance was essential for something on the scale of the programme."

One prescient risk factor also included reputational damage in relation to media coverage of the project.

It noted: "There have been previous instances of the media having a negative view of the government's ability to deliver new programmes."

Plus ça change... ®