Revenue security flaw could have wider impact

The initial problem with the online self-assessment site has now been fixed, after the service was withdrawn on 27 May.

But a Revenue spokesman told VNU News Net other departments using the Government Gateway may also be exposed.

‘We are in discussion with other government offices where we believe it could affect them, although it would not affect many,’ he said.

The exact cause of the problem is still unclear, although the Revenue is blaming a configuration problem with one unnamed ISP used by visitors to the site.

‘The way in which the ‘session cookie’ identifying the user was managed meant that it could, in certain rare circumstances, be presented to another user,’ said a statement last week.

Further details came from the government’s e-envoy, Andrew Pinder, who told a Public Accounts Committee last month that an obscure ‘technical standard’ had been the culprit.

‘There were technical problems with the way the ISP interacted with the system run by the Inland Revenue,’ Pinder told the Committee.

‘It was a technical standard we were not aware of. The Inland Revenue will be making other government departments aware of the quirk.’

It is not clear whether the problem is peculiar combination of the ISP configuration and government gateway security, but the Revenue said it was unable to make any more details public.

The ISP at the centre of the security flaw is not being named but the Revenue said its own IT supplier EDS and EzGov, which produced the online tax form, are not in any way at fault for the security flaw.

Only 13 people have so far confirmed seeing other user details on the SA Online site, but an examination of the site’s logs revealed up to 665 users could have been compromised.

‘Although it is unlikely their information was seen by anyone else, we cannot completely eliminate the possibility,’ said the statement.

‘We are writing to all those who may have been affected to apologise and explain what we are doing. We very much regret this incident.’

The site has now been checked by independent internet security experts, said the Revenue.

Related reading