Risk: Informational
The online visa application website for Indian citizens wishing to travel to the UK was left insecure for a year, exposing up to 50,000 people's details. The site is no longer accepting applications.
One applicant from Bangalore, Sanjib Mitra, discovered the problem in April 2006 and alerted VFS Global, the company tasked with visa processing, as well as the British High Commission. Mitra heard nothing from VFS and after a two month delay, received an email from the Commission saying that the issue would be investigated. However, nothing appeared to have been fixed and Mitra recently contacted an IT security journalist who publicised the issue.
Alarmingly, Mitra discovered that it was alarmingly easy to view other applicants' details, which included information that would be a godsend to terrorists or identity thieves, such as passport numbers, family details, addresses and much more. Perhaps the UK Government should re-read its own Data Protection Act http://www.opsi.gov.uk/ACTS/acts1998/19980029.htm, which is supposed to prevent sensitive information from being viewed by any Tom, Dick or Harry.
Mitra's write-up of finding this outrageous security breach is at:
http://sanjibmitra.blogspot.com/2007/05/identity-leakage.html