The Foreign and Commonwealth Office (FCO) has been found guilty of breaking data protection laws after a security lapse on a visa application website.

The breach occurred on a site set up by the FCO and the Home Office to handle visa applications from overseas.

An investigation by the Information Commissioner's Office (ICO) found that a flaw in the site meant that users could see as many as 50,000 other applicants' details when they logged in.

Mick Gorrill, assistant commissioner at the ICO, said: "Organisations have a duty under the Data Protection Act to keep our personal information secure.

"If organisations fail to take this responsibility seriously they leave individuals vulnerable to identity theft and risk losing individuals' confidence and trust.

"We investigate any organisation in breach of the Act and will not hesitate to take appropriate action."

The running of the site was outsourced to Indian company VFS, and a customer alerted the FCO to the problem in December 2005. The flaw remained in place, however, and the FCO only admitted to a problem earlier this year.

Following the Information Commissioner's report, the FCO has admitted responsibility for the breach, corrected the fault and ended its relationship with VFS.

"The VFS online application websites will not be reopened and will be replaced by visa4UK, the UKvisas online application facility which will be the only online application system used by UKvisas," said the FCO in a statement (PDF).

"A strategic review of data processing will be undertaken by UKvisas in order to strengthen Data Protection Act risk management processes, and a detailed audit carried out of the data processor's data security procedures.

"Regular monitoring of the visa4UK website will be undertaken to ensure that the systems in place to provide effective protection."