Hackers have targeted the UK government’s flagship welfare reform website,
underlining the risks of a scheme that requires users to send financial details
to the state via the internet on an unprecedented scale.
While the incursion on the Universal Credit website was repelled, it will focus attention on the possible vulnerability of the scheme, which rolls six existing benefits and tax credits into a single payment.
The attack is thought to have been launched shortly after a pilot scheme in Greater Manchester got under way at the end of April.
Officials in the Department for Work and Pensions are understood to believe the attack was not the work of international cyber criminals but of disgruntled opponents who wanted to prove the system was not secure.
The government has made clear that it expects the majority of claims for UC to be made and updated online. However, ministers say they are aware of the risks from fraudsters anxious to get their hands on claimants’ bank details.
When he was asked last year by MPs on the work and pensions select committee to name the biggest risks of the programme, Lord Freud, welfare reform minister, spoke about the “challenge” of tackling cyberfraud and ensuring “the system is utterly robust”.
Iain Duncan Smith, work and pensions secretary, added that the department had been in discussions with online retailer Amazon and with government agencies – understood to include CESG, the information assurance arm of GCHQ – about how to combat online crime.
The department, he said, was “working closely with them, bearing in mind that there are states that wish to attack things, and there are criminals out there who do a lot of online attacks and fraud”.
In a critical report on the early progress of UC, published in September, the National Audit Office noted that “cyber security protection” had been “fully deployed” in the pilot project but raised concerns that a planned identity assurance scheme had not been “developed or used” in the pilot.
It said that the current IT system could not identify fraudulent claims and that the department had to rely instead on multiple manual identity checks. “Such checks will not be feasible or adequate once the system is running nationally,” it said.
The government and industry are targeted by about 70 sophisticated cyber espionage campaigns every month, GCHQ said in July.
The DWP said it was unable to confirm or deny the attack on the Universal Credit website.
In a statement it said: “The IT used for the Universal Credit [pilot] has so far proved resilient to cyber-based threats.
“But we’re not complacent and know that it is in the nature of those threats to be always evolving. We work tirelessly to monitor, learn from experience, and enhance the system to make it as robust as possible to withstand both criminal and other malicious attacks.”
FT
While the incursion on the Universal Credit website was repelled, it will focus attention on the possible vulnerability of the scheme, which rolls six existing benefits and tax credits into a single payment.
The attack is thought to have been launched shortly after a pilot scheme in Greater Manchester got under way at the end of April.
Officials in the Department for Work and Pensions are understood to believe the attack was not the work of international cyber criminals but of disgruntled opponents who wanted to prove the system was not secure.
The government has made clear that it expects the majority of claims for UC to be made and updated online. However, ministers say they are aware of the risks from fraudsters anxious to get their hands on claimants’ bank details.
When he was asked last year by MPs on the work and pensions select committee to name the biggest risks of the programme, Lord Freud, welfare reform minister, spoke about the “challenge” of tackling cyberfraud and ensuring “the system is utterly robust”.
Iain Duncan Smith, work and pensions secretary, added that the department had been in discussions with online retailer Amazon and with government agencies – understood to include CESG, the information assurance arm of GCHQ – about how to combat online crime.
The department, he said, was “working closely with them, bearing in mind that there are states that wish to attack things, and there are criminals out there who do a lot of online attacks and fraud”.
In a critical report on the early progress of UC, published in September, the National Audit Office noted that “cyber security protection” had been “fully deployed” in the pilot project but raised concerns that a planned identity assurance scheme had not been “developed or used” in the pilot.
It said that the current IT system could not identify fraudulent claims and that the department had to rely instead on multiple manual identity checks. “Such checks will not be feasible or adequate once the system is running nationally,” it said.
The government and industry are targeted by about 70 sophisticated cyber espionage campaigns every month, GCHQ said in July.
The DWP said it was unable to confirm or deny the attack on the Universal Credit website.
In a statement it said: “The IT used for the Universal Credit [pilot] has so far proved resilient to cyber-based threats.
“But we’re not complacent and know that it is in the nature of those threats to be always evolving. We work tirelessly to monitor, learn from experience, and enhance the system to make it as robust as possible to withstand both criminal and other malicious attacks.”
FT
