States website breach 'severe'

WHISTLE-BLOWER Marcus Cicero's claims about the lack of security of the States' election website have been backed by an official inquiry.

Data protection commissioner Dr Peter Harris said in a report, which was compiled with the assistance of PricewaterhouseCoopers, that the breach was 'severe'.

The vulnerability resulted in personal details of online registrants for the electoral roll potentially becoming viewable as were the banking and medical details of Maison Maritaine residents from 1986 to 2004.

He has decided not to serve an enforcement notice on the States. Instead he has outlined six recommendations on which he wants the Policy Council to take action.

He launched the investigation after the Guernsey Press revealed the lack of security in mid-March after Mr Cicero, a web-developer and former local resident, contacted it.

He claimed the States had ignored warnings he gave four years previously.

Mr Cicero travelled from Newcastle to show States IT staff the system's flaw at the Guernsey Press's offices.

'The vulnerability of the election web-server was primarily caused by technical failings within the Information Technology Unit,' said Mr Harris.

'The technical and organisation measures used to protect the personal data processed on the election web-server were inadequate.'

However, Dr Harris's report also discovered that the States had failed to act on another security issue surrounding the site that it had been made aware of.

'There was evidence that the ITU had been contacted in May 2007 and had been advised of two security issues surrounding the election website.

'These were that the website was susceptible to 'SQL injection attack' and, more significantly, that the PHP source code was visible on a Google search and that the login credentials for the site were thereby compromised.

'It appears that steps were taken by ITU to correct the SQL injection vulnerability and to change the password, but no action was taken to hide the location of the PHP source code, which was the primary reason for the vulnerability.'

Dr Harris said there was no evidence to support Mr Cicero's claim that he had contacted the States in 2004 as there was no audit trail of changes made to the website at that time.

He added that the vulnerability arose because of an inadequate standard of programming associated with the site.

'Any internet user could, by using a tool such as Google, have discovered the vulnerability, but a basic level of knowledge would have been required to recognise the login credentials contained within the PHP source code and to exploit them to gain further access.

'Once the login credentials had been identified, a commonly available tool, such as FTP, could have been used to gain access to other information stored on the web-server.'

Mr Cicero could not be contacted for comment yesterday. But police are still investigating whether any offence was committed in accessing the personal data of people on the system.

The case file has now been passed on from Guernsey Police to police in Northumbria.

A spokesman for Northumbria Police said there was little they could say as their inquiries were still at a very early stage.