Millions of pounds of taxpayers money earmarked by the government for training has disappeared because of "woeful" computer security precautions, experts have claimed.
The parliamentary enquiry begun on 16 January into the Department of Education and Skills' (DfES) Individual Learning Account (ILA) scheme, run by contractor Capita, will discover that it relied on inadequate single 10-digit passwords to protect the accounts.
Security was then further compromised when training candidates turned up with sequential PIN codes, according to Pitman Training, giving rogue traders a three in five chance of hitting an untapped account. No further checks, such as a user name, were required.
James O'Brien, managing director at Pitman Training, told vnunet.com: "Our centres noticed that trainees were turning up with sequential PINs. It only needed the end digits to be changed to access an account.
"Once the PIN had been entered, training providers could draw down the funds. Around 60 per cent of accounts held funds that had not been used."
The ILA scheme was suspended on 23 November amid concerns about theft and fraud. The initiative was nearly £60m overspent when the government finally pulled the plug.
"This appears to be an entirely inadequate level of security for government funds," said Tim Pickard, European marketing director at encryption specialists RSA Security.
Respected security consultant Neil Barrett was also appalled by the inadequacies of the system. "This level of security would not satisfy government approved schemes for ecommerce," he explained.
Security could have been improved by introducing some basic features, said Pickard. Locking users out after a number of unsuccessful attempts, or requiring both a username and password, are simple measures that would have made the system robust, he explained.
ILA contractor Capita declined to rebut the criticisms of the system's security, which it said had been built to government specifications.
"A limited number of users may have abused their authorised access and acted in an inappropriate manner. The ILA system [was] built and run for the DfES, according to the department's detailed specifications," the firm said in a statement.
The DfES declined to comment on the ILA security, or whether other government departments had implemented similar security precautions.
A spokesman for the DfES reiterated Lifelong Learning Minister John Healey's comments that "until we have got to the bottom of what went on here it won't be clear what lessons there may be for other government outsourcing contracts".
Warnings that the system was open to abuse were constantly ignored. O'Brien said he had initially warned David Blunkett, then Minister for Education and Employment, in September 2000.
Yeah, sorry about all that, simpers Zuckerberg
Vivaldi promotes DuckDuckGo search engine over Google over privacy concerns
Scientists say that strontium titanate could transform electronics
The wheels of justice grind surprisingly slowly