Senior civil servants have raised serious cybersecurity concerns about the government’s emerging Digital ID framework, warning that flaws in the underpinning technology could put the personal data of millions of UK citizens at risk, according to an ITV News investigation.
Multiple whistleblowers, who have provided ITV News with confidential documents and correspondence, say that the digital authentication platform set to form the basis of the government’s Digital ID service, One Login, currently fails to meet mandatory government cybersecurity standards, including the “Secure by Design” and National Cyber Security Centre’s (NCSC) assessment frameworks.
One source said the shortcomings could lead to what they described as “the worst data breach in UK government history.”
Think Digital Partners reported criticism of the One Login system in August, which industry experts say “lacks rigid security measures.” They pointed to its lack of Secure by Design principles, and assessments which revealed risks including overseas admin access, insecure logins to live environments, and more than half a million unresolved vulnerabilities.
If you liked this content…
Think Digital Identity and Cybersecurity for Government: Key Takeaways
Government under fire over security of identity verification system
Public sector must be resilient by design to counter cyber threats – KPMG
11 emerging technologies the public sector needs – Forrester
Digital identity industry calls for curbs on government wallet plans
Key concerns identified
- One Login is already used by around 13 million people for core government services such as managing pensions, renewing passports, and professional registration.
- Whistleblowers say individuals without proper security clearance have had access to critical parts of the system, including overseas contractors.
- Internal testing – including a standard “red team” exercise – reportedly uncovered vulnerabilities that allowed sensitive areas of the system to be accessed without triggering security alerts.
- Documents cited by whistleblowers show the NCSC identified risks such as bulk personal data theft, identity fraud, economic damage, and identification of vulnerable individuals like those in witness protection.
One insider told ITV News that exploiting these weaknesses “would not take any creative thinking for a state actor or organised crime group,” and warns that if fully compromised, attackers could potentially deny access to essential public services, including pensions, welfare, passports and driving licences.
Government response
The government, which has confirmed that One Login will underpin the mandatory Digital ID system for all adults by 2029, said in a statement that “protecting user data and the integrity of government systems is always our highest priority” and highlighted ongoing security testing and cooperation with the NCSC.
It emphasised that personnel do have relevant security clearances and that independent testing forms part of standard procedures to address any identified vulnerabilities.
