An investigation into a security bug on a website used to apply for UK visas has painted a damning picture of “organisational failures” by a government agency and its contractor.

The online UK visa application website for people in India, Russia and Nigeria was provided by VFS Global, a commercial partner of the joint Foreign Office and Home Office agency, UKVisas.

Ministers pledged an inqiury after the site was closed down in May following publicity over the security bug – which made personal details of visa applicants easily accessible to hackers.

The report by independent investigator Linda Costelloe Baker slams UKVisas’ outsourcing of the online service to a firm that is not an IT specialist, the contractor’s performance and the failure to respond adequately when the security hole was first revealed by Indian national Sanjib Mitra in December 2005.

There had been “inadequate central control of the moves to outsourcing”
and contracts had paid “insufficient attention to the requirements of the Data Protection Act and to basic IT security”.

Costelloe Baker added: “UKVisas was undoubtedly relieved to have the practical administrative assistance provided by outsourcing, but it did not obtain adequate third party or expert assurances that the VFS IT system was robust, even before VFS was allowed to start up an online system.”

UKVisas should have made its expectations clearer, Costelloe Baker said, and the contracts drawn up by UKVisas “lacked specificity”.

he cited an expert view that the VFS online system “was so poor that it should be completely rewritten”. One expert described it as “an upside down pyramid, where piling more levels of changes and processes on the top only makes it more likely to fall over”.

Since the debacle, VFS had accepted “that it is not an IT company and that it needs to outsource its software writing”, Costelloe Baker said. VFS had been keen to grow a new business – but in doing so it paid insufficient attention to the level of its own IT skills and abilities.

UKVisas “reacted inadequately” to notifications of the data security vulnerability from three people, the investigatin found. Costelloe Baker said: “I do not find it acceptable for a complaint to be simply passed on to a third party - VFS in this case – for a response.”

VFS took “some remedial action in January 2006” after the flaw was first revealed, but this appeared to have been ineffective in solving the problem. Mitra went public when the bug remained unfixed 18 months later.

In a scathing verdict, Costelloe Baker said: “In my view, there is no evidence to support any finding relating to the competence or performance of specific UKvisas’ staff – the problems were far wider than that.

“The circumstances that led to the breach of data security from the outset, the lack of independent oversight and the failure to react adequately to Mr Mitra’s December 2005 notification, were organisational failures by both UKVisas and VFS.”

Foreign secretary David Miliband issued a government resoponse accepting the findings and recommendations of the investigation.

He pledged that the VFS websites would not be reopened, but would instead be replaced by visa4UK, the main UKVisas online application service.

In March, UKVisas signed a £140m outsourcing deal with CSC that will see the IT services firm establish three regional visa application centres covering 15 countries as well as providing multilingual call centres and websites in another 87 countries.

Miliband said: “UKVisas will take all necessary steps to ensure the new contracts are implemented rigorously in partnership with VFS and CSC, to the benefit of the effectiveness and efficiency of the visa process.”

UKVisas is also undertaking a strategic review of data processing, including by its commercial partners in a bid to strengthen Data Protection Act risk management processes. The agency’s corporate services director is to take on the role of chief information officer, to ensure an IT voice at board level.