The government’s cavalier approach to security for its rapidly expanding digital governance and identity systems should be enough to give all UK citizens pause — if only they knew about it!
Some time roughly a month ago, hackers broke into the UK’s Legal Aid Agency’s IT system and made off with a “significant amount of personal data” belonging to hundreds of thousands of legal aid applicants dating all the way back to 2010. That data, according to The Register, could include applicants’ contact details, home addresses, dates of birth, criminal histories, employment statuses, and financial data such as contribution amounts, debts, and payments.
While the attack itself was detected on April 23, it wasn’t made public until May 6. It wasn’t until May 16 that investigators realised, or at least publicly acknowledged, that the damage was “more extensive than originally understood and that the group behind it had accessed a large amount of information relating to legal aid applicants.”
The UK’s retail sector has also been hit by a spate of cyberattacks. Last week, the British high street retailer Marks & Spencer finally came clean that the hackers that had brought down their website for a whole month had also made off with reams of personal customer information, fuelling speculation that ransomware was involved.
The stolen data included masked payment card details (usually the last four digits of a payment cards). Given that M&S has 9.7 million active customers — equivalent to almost one out of six UK citizens — the potential impact of the breach could be significant, especially given the sensitivity of some of the data compromised. As is often the case in these kinds of incidents, the hackers are believed to have gained access to M&S’ IT system through third party providers.
The damage to M&S, both financial and reputational, has been significant. Its online platform is still down over four weeks after the initial attack, setting it back over 60 million pounds ($80 million) in lost profit, according to analysts. In the three weeks immediately following the cyberattack, M&S lost around £1 billion of its market value on the London Stock Exchange. In a statement posted to the London Stock Exchange last Tuesday, M&S’ management said:
“Today, we are writing to customers informing them that due to the sophisticated nature of the incident, some of their personal customer data has been taken. Importantly, the data does not include usable payment or card details, which we do not hold on our systems, and it does not include any account passwords. There is no evidence that this data has been shared.
But the retailer has no way of confirming that the data isn’t being shared. These recent data breaches underscore a worrying trend in today’s almost digital-everything society: our personal data is becoming less and less safe in the hands of both government and corporations as more and more of it is brought online. To quote Prof Sandra Wachter, a data ethics expert at the Oxford Internet Institute, “welcome to the Internet,” where “everything is hackable.”
Inauspicious Beginnings
The reason why this should be of particular concern to UK citizens is two-fold.
First, the UK government, like the EU and many national governments, is in the process of rolling out a digital identity wallet, branded Gov.UK, as part of its “One Login” digital governance system. If successful, One Login could end up holding just about every data point imaginable on UK citizens. Which brings us to the second reason: when it comes to protecting citizens’ data and running IT operations in general, the UK government has a horrid track record.
On July 5, the day Keir Starmer became UK prime minister, we wagered that a Starmer government would intensify the push to roll out a digital identity system in the UK — a country that has, until now, resisted all recent attempts to introduce an ID card system, including, most notably, by Starmer’s backroom consultant and mentor, Tony Blair. At the risk of blowing our own trumpet, that is exactly what has happened.
Late last year, the propaganda push for digital identity kicked into gear. After studiously ignoring the issue for years, the legacy media suddenly began trying to manufacture public complacency and consent for the government’s digital identity — and by extension, CBDC — agenda. As we have maintained for the past three or so years, this is all about expanding government — and with the CBDCs, central bank — control.
Blair’s non-profit, the Tony Blair Institute for Global Change, claims that introducing digital ID will “improve governance, facilitate greater inclusion, fuel economic growth” and “make information more secure”. However, as Michael Orlowski points out in a recent article for Spike, the recent revelations from the One Login juggernaut suggest otherwise:
Digital ID will not ‘improve governance’ or ‘facilitate greater inclusion’. Far from it. What it will do is put our private data at serious risk. This is a threat to us all.
One Login was launched in 2021 by Michael Gove after the Tory government’s previous attempt to launch a digital ID and verification system, called Verify, failed after burning through £400million of public funds. Following a slow start, One Login now has six million users.
The system appears to have been inspired by other digital government service and identity systems already established in Europe, including Estonia’s e-Estonia and Ukraine’s Diia, which was brought down by Russian hackers in December.
As readers may recall, the UK signed a digital trade agreement with Kiev in late 2022 that included a provision for collaborating on digital identity. London, together with its partners in the US and the EU, had helped to fund the Zelensky government’s development and roll out of Diia.
A year later, the UK signed a Memorandum on Cooperation with Ukraine and Estonia setting out their commitment to a “trilateral programme of activity on e-governance and digitalisation”. The text of the memorandum paints a pretty picture of the transformational potential of digital governance:
Digital technologies have the capacity to revolutionise every aspect of how governments function, contributing to increased efficiency in the delivery of public services. Digitalisation can also facilitate transparent processes and accountable decision-making and improve investor confidence.
A Perfect Honey Pot?
But if the systems are not properly secured, they can create a perfect honey pot of lucrative data for hackers and nation-state adversaries — of which, let’s face it, the UK has plenty…
Continue reading on Naked Capitalism
Nick Corbishley 