A serious breach

A MAJOR security flaw left exposed the whole of the States internet system and put at risk personal data belonging to individuals in a care home. At this stage, it is not known whether there has been any malicious access to the information.

What was a catastrophe waiting to happen was drawn to the attention of Treasury and Resources, the department responsible, by this newspaper after contact from a Guernsey IT specialist working in the UK.

Having apparently tried to warn some years earlier of flawed security, he asked whether we could help to protect a site run on behalf of islanders and containing personal information.

After satisfying ourselves – without entering off-limits areas – that there was a likely problem, we arranged for a demonstration in front of the department's senior IT staff of how easy it was to access confidential material.

When the whistle-blower navigated to a folder containing what he said were patient records, medical details and care procedures, one of the Treasury and Resources members snatched the mouse out of his hand and deleted the files.

T&R has yet to comment on this incident – the Guernsey Press offered to delay publication until the security weaknesses had been patched – but it will wish to play down what has happened.

In reality, according to the man who highlighted the flaws, the security was equivalent to a wet paper bag and meant that someone with limited intelligence and without vast technical knowledge could easily compromise a system, network or website within seconds.

Quite apart from leaving patient records open to unauthorised access, passwords and login details were available that would have allowed a malicious hacker to take over the entire gov.gg site.

The damage that could have been wrought was immense.

What T&R must do today is explain how its IT professionals and consultants allowed this serious breach to occur – and try to convince islanders that their personal data is safe with the States.