Old IT systems exposing government to cyberattack – report

Legacy IT systems and software are leaving government vulnerable to cyberattacks, according to a new report.

The use of legacy servers and databases in has been uncovered through freedom of information (FoI) requests from pressure group the TaxPayers’ Alliance. It has found that many of the systems in Whitehall were so out of date that they were no longer supported by Microsoft and would cost huge sums to replace.

The report shows that HM Revenue and Customs (HMRC) is using tens of thousands of vulnerable servers and databases. Both the Department of Health and Social Care (DHSC) and the UK Atomic Energy Authority also reported using outdated software, as per a report published in The Guardian.

The article quotes experts as saying that the use of old servers is far more widespread in Whitehall than the FoIs reveal, and that “many IT systems need specialised updates in order to keep data safe, with the cost likely to run into hundreds of millions of pounds.”

A former civil servant turned whistleblower who used to work on cybersecurity while in Whitehall told the TaxPayers’ Alliance: “The ongoing use of legacy systems in government is a disgrace and completely inexcusable. We move at such a slow pace that it seems only to get worse.

“In secure bits of the private sector like banks, heads would roll until all legacy systems were patched or replaced. These legacy systems mean the public simply cannot have confidence that government is protecting their personal data. These legacy systems are ancient, with a poor user experience too, so there’s every reason to change them.

“The problem is so bad that some of these systems could be taken down by an enthusiastic child – the vulnerabilities are publicly known, and pre-made malware is readily available. It keeps me awake at night worrying that at any moment, a key HMRC system or a hospital might get taken down because we have not got the most basic protections in place.

“In a world of highly sophisticated and bespoke cyber-attacks from elite hackers Russia and China, the fact we are so insecure is terrifying. As taxpayers, we deserve better.”

Bringing government in line with private sector

John O’Connell, chief executive of the TaxPayers’ Alliance, is quoted as describing the numbers as “deeply troubling.”

He said they showed that key parts of government remain reliant on ancient IT systems, despite being exposed to well-documented serious cyber-vulnerabilities.

“This failure is exposing data to criminals and costing taxpayers billions in maintenance and incident management.

“Ministers must urgently commit to bringing the state in line with private sector standards, rather than wasting billions on pointless pet projects.”

Isle of Man government data breach

Elsewhere, The Isle of Man Government has revealed an information breach relating to its FOI system.

There is an investigation underway into the unauthorised access by a senior officer in Cabinet Office to personal data in the system. the information commissioner said that the Cabinet Office is also undertaking an internal investigation.

Between April 1, 2022, and March 22, 2023, the senior officer accessed the personal data contained in over 540 FOI requests, made to 20 separate public authorities, on more than 1200 occasions.

At present, the purpose for which the personal data was accessed and further processed is unknown, nor is it known why the breaches went undetected by the system administrator. 

It commissioner said: “In response to a request by the Information Commissioner, all public authorities have carried out audits of their access logs and have identified a number of occasions where their information requests were viewed by a third party from another public authority.”