This article is more than 1 year old
Government Gateway online hack claims 'nonsense', say multiple folk in the know
There's no such thing as the 'crown jewels' of identity theft
Claims the Government Gateway online identity portal has been "hacked" have been dismissed as "nonsense" by the man originally responsible for the project and by two government information security experts.
Earlier this week the Financial Times (behind paywall) reported that “tens of thousands” of Britons’ identities were currently for sale on "the dark web". The newspaper cited a Whitehall security officer, who revealed this included thousands of detailed profiles stolen from the government’s own computer systems.
"Profiles hacked from the Government Gateway database — which contains information shared by key departments such as HM Revenue & Customs and the Department for Work and Pensions — have been recently available for sale at $75," the source told the FT - saying that the data sets were the “crown jewels” of identity theft.
However, Alan Mather, former chief executive of the government's e-Delivery Team between 2000-2004 – which was responsible for introducing the gateway – said the architecture of the identity assurance portal contains no such thing as "the crown jewels of identity theft".
He said: "It doesn’t, for instance, hold any address details – it gets them from the department, uses them to send the user ID via the post and then discards them. At any one time it only has the details of anyone who is in the early part of the registration process. So in my view this is nonsense."
One information security expert who works with the government and CESG – the IT security arm of GCHQ – agreed that such claims of a hack were "highly unlikely".
The source, who asked not to be named, said: "Basically, some criminals 'bigged up' the data they were selling off. That is absolutely nothing to base any kind of sensible opinion on."
He added: "There are plenty of other ways miscreants could get hold of the profile information described, such as malware in browsers used to complete Self Assessment, backups, or contractors' shoddy data transfer."
Another expert, who also asked not to be named, said the first he'd heard of this comprise was in the FT's report, adding, "so I am somewhat sceptical."
While a hack of the sort described by FT's source seems unlikely, it is true that the gateway, which was developed in 2001, badly needs replacing. In 2011, the National Audit Office warned that the system was starting to creak, identifying an "urgent need" to find a better alternative to the Gateway.
So far the Cabinet Office's identity assurance programme Verify, which has been extremely slow to get off the ground, has failed to offer an alternative.
According to a Freedom of Information response sent to The Register, there are currently 42 million registered Gateway accounts.
While it is likely that individuals will be registered for a number of Gateway services, the scale of moving all these users over to Verify by next year's deadline is clearly enormous. ®