Straight from the Department of Unfortunate Matters, as reported by Andy McCue on silicon.com.
‘The government has come under fire after it emerged ministers have known for months that criminals were using stolen identities to make £30m of fraudulent online tax credit claims.
‘HM Revenue and Customs (HMRC) was warned about the flaw over six months ago but only closed the tax credit portal down last week after it discovered criminals had used the identities of 1,500 civil servants at the Department of Work and Pensions (DWP) to make fraudulent claims.
‘The tax credit website handles around half a million transactions a year and the fraudsters were able to change claim details and redirect the money into their own bank accounts by getting hold of a genuine claimant's name, date of birth and national insurance number.
‘The latest fraud involving innocent staff at the DWP only came to light during compliance checks by HMRC, and MPs have been told the tax credit website has been hit by over £30m of fraudulent claims.
‘The police have now been called in and a spokesman for HMRC declined to comment further while the criminal investigation is ongoing – but said the tax credit website will remain down until the review of its security is completed.
‘Liberal Democrat Work and Pensions secretary David Laws slammed the government and said ministers must make a statement as to why they took so long to take action to stop the fraud
‘He said: “This complicated and chaotic system is wide open to fraud. Ministers have known for some time that organised criminals were using the internet to defraud the system.”
‘The debacle is yet another embarrassment for the government's flagship tax credits programme, which has suffered from problems since it was launched in 2003. Much of that has been down to an IT system described as a “nightmare” by MPs. EDS was last month forced to shell out £71m to HMRC to settle the dispute over problems with the tax credits IT system.’
The fact that it was possible to use the identities of the employees of the Department of Work and Pensions to create fraudulent claims and redirect money into a criminal bank account boggles the mind. Yet somehow I doubt this project went forward without the usual security reviews and audits.
That's why, for me, this kind of thing always drives home the notion that systems must be designed in light of the assumption that they will be breached, in spite of the security reviews. This may in fact not be true, but even knowing this, it is the best assumption one can make.
In fact, I'm starting to think that failure to do this is an act of professional incompetence.
It should be impossible to get a degree in computer science without demonstrating an understanding of this concept: system designs must include not only security and privacy threat analysis and mitigation strategies, but must indicate how breaches are dealt with so as to minimize damages.
Overcentralization of identity information increases the risks involved once the idea of a breach is accepted. So does the ability to assemble information from different contexts which should strictly be separated.
It is key people see that the privacy requirements of contextual isolation and limitation of information centralization are precisely the same requirements leading to maximal resilience and minimization of risk in the face of attack and breach.
If we care about security, privacy is our friend.