Online visa security flaw

Last Modified: 17 May 2007
By: Julian Rush

Exclusive: a security flaw in internet visa applications to the British High Commission in India means the details of 50,000 people may have been available online.

It was a potential treasure trove for identity thieves and terrorists.

The personal details of thousands of people wanting to travel to the UK - online, unsecured and available to anyone who simply altered a website address.

Four hundred and seventy thousand Indians applied for visas to come to Britain last year. Not all applied online - but nearly 50,000 did, including Sanjib Mitra from Bangalore.

In April last year he had trouble with his application and in trying to sort things out discovered he could access all the other applications that had been made online.

Visa processing in India has been contracted out by the Foreign Office to a private Indian company, VFS Global.

In a blog last week Sanjib Mitra revealed how he had checked and found the loophole was still there. He says he emailed the company last year - and heard nothing. And he emailed the British High Commission, who two months later replied that they would look into it.

Concerned, he alerted specialist computer security journalist Davey Winder who investigated the breach. Having determined the information was still vulnerable, and succeeded in getting VFS Global to secure the database, Winder contacted Channel 4 News.

Indian online visa applications have now been suspended. And we can reveal the security breach is widening - online applications from Russia and Nigeria, run by the same company, have been suspended too.

It is the sheer scale of this security that is staggering: it dwarfs the MTAS computer scandal.

The Foreign Office, which in February awarded VFS a five year contract worth £190 million for visa processing, told us -

"This VFS system is used only to record the details of visa applicants applying online through VFS, and to allow those applicants to see how long it will take to have their passport returned. It is not connected to the secure UK government information system used to process the applications."

And because data privacy may have been compromised, the Information Commissioner is to investigate.

No-one knows if anyone has stolen the personal data that was so freely available.

VFS told us they were working hard to secure their systems - they process visa applications for entry to 14 countries, but the UK is their biggest customer.

It is the sheer scale of this security that is staggering: it dwarfs the MTAS computer scandal.

The online system has been running since 2003 and is known to have been compromised for at least a year with tens of thousands of personal details up for grabs.