Revenue security flaw taxes government

The Inland Revenue has admitted that the security flaw which led to its online tax-filing site exposing users' confidential details could affect other government services.

The initial problem with the online self-assessment site has now been fixed, after the service was withdrawn on 27 May.

But a Revenue spokesman told vnunet.com that other departments using the Government Gateway may also be exposed.

"We are in discussion with other government offices where we believe it could affect them, although it would not affect many," he said.

The exact cause of the problem is still unclear, although the Revenue is blaming a configuration problem with one unnamed internet service provider (ISP) used by visitors to the site.

"The way in which the session cookie identifying the user was managed meant that it could, in certain rare circumstances, be presented to another user," the Revenue said a statement last week.

Further details came from the government's e-envoy, Andrew Pinder, who told a Public Accounts Committee last month that an obscure "technical standard" had been the culprit.

"There were technical problems with the way the ISP interacted with the system run by the Inland Revenue," Pinder told the Committee.

"It was a technical standard we were not aware of. The Inland Revenue will be making other government departments aware of the quirk."

It is not clear whether the problem is a peculiar combination of the ISP's configuration and Government Gateway security, as the Revenue said it was unable to make any more details public.

The Revenue did confirm that its own IT supplier EDS and EzGov, which produced the online tax form, are not in any way responsible for the security flaw.

Only 13 people have so far confirmed seeing other users' details on the Self Assessment Online site, but an examination of the site's logs revealed that up to 665 users could have been compromised.

"Although it is unlikely that their information was seen by anyone else, we cannot completely eliminate the possibility," said the statement.

"We are writing to all those who may have been affected to apologise and explain what we are doing. We very much regret this incident."

The site has now been checked by independent internet security experts, according to the Revenue.