UK Government’s One Login System Faces Security Concerns
The UK Government Digital Service (GDS) has been warned that its One Login digital identity system has ‘serious data protection failings’ and ‘significant shortcomings’ in information security, potentially increasing the risk of data breaches and identity theft. A whistleblower with extensive cyber security experience, who worked in a senior information security management role at GDS, first raised concerns about the system’s security in July 2022.
The whistleblower’s warnings included insufficient security personnel, lack of risk assessments, and non-compliant system administration practices. Despite these warnings, many of the identified security problems remain unresolved, putting the information security of the system’s three million users at risk.
In November 2022, the Cabinet Office data protection officer (DPO) warned that One Login had ‘serious data protection failings’ and recommended suspending the live service. The National Cyber Security Centre (NCSC) also identified ‘severe shortcomings’ in the system’s cyber security in September 2023.
GDS maintains that it follows civil service and NCSC guidance on security and data protection. However, the whistleblower claims that the department has removed independent assurance of cyber security from One Login, despite civil service rules mandating such assurance.
The controversy surrounding One Login highlights the ongoing challenges in balancing the need for secure digital identity systems with the pressures of delivering government services online. As the UK government continues to expand its digital services, the security of systems like One Login remains a critical concern.
Key Security Concerns
- Insufficient security and assurance personnel
- Lack of risk or threat assessment for One Login
- Non-compliant system administration practices
- ‘Serious data protection failings’
- ‘Severe shortcomings’ in cyber security
GDS Response
GDS states that it adheres to UK data protection and privacy laws, including UK GDPR and the Data Protection Act 2018. The department claims to operate a three lines of defence process to protect data, deter and detect fraud, and monitor and respond to threats.
However, the whistleblower’s allegations raise questions about for the effectiveness of these measures in addressing the identified security concerns.
Conclusion
The security of the UK’s One Login system remains a pressing issue, with significant implications for the country’s digital identity infrastructure. Addressing the identified security shortcomings will be crucial to maintaining public trust in the government’s digital services.
