While the site is not connected to any other government systems, it was possible to view different applicants’ personal details just by changing characters in the applicant’s URL. A message has been posted to the site saying it is experiencing ‘technical difficulties’.
The secretary of state for foreign and Commonwealth affairs Lord Triesman pledged an enquiry into the breach and said its findings would be made public.
He stated: “Security is paramount in our visa system. We will conduct an immediate, thorough and independent investigation into this reported breach of one of our commercial partner’s systems.”
The security breach was highlighted by Davey Winder in a post on his technology blog. Winder described how a security hole first found a year ago had not been fixed.
By manipulating the URL data, Winder wrote: “Doing this, entirely at random, brings up the visa application details of people ranging from someone who applied yesterday through to some who applied a year ago and I have the screenshots to prove it.”
In March, UKVisas signed a £140m outsourcing deal with CSC that will see the IT services firm establish three regional visa application centres covering 15 countries as well as providing multilingual call centres and websites in another 87 countries.
CSC will also be responsible for capturing biometric data on all visa applicants, including photographs and fingerprints.
UKvisas’ own Visa4UK website is not affected by the security breach and is operating normally in the countries where it is available.
The government is particularly sensitive to website security breaches just days after health secretary Patricia Hewitt announced that the NHS’s online system for junior doctors to apply for specialist training posts would be axed. The announcement was sparked by a security breach that saw the personal details of hundreds of doctors made available online through the Medical Training Application Service website.
Additional reporting by Tash Shifrin, Comupterworld UK