Staff in over 30 local authorities have been the subject of serious ID card database security breaches over the last two and a half years, it has emerged.
The incidents were revealed in January, when the Department of Work and Pensions (DWP) issued an information bulletin to the authorities restating its access policy and penalties in light of the breaches.
Yesterday, the DWP confirmed it had sent the bulletin and that it was related to how it had detected staff accessing its Customer Information System (CIS) with "view-only" rights to its data on all UK citizens with a national insurance number.
These instances had no business justification and were detected from August 2006 onwards, in councils across the UK, including three at Sefton Council and two at Glasgow City Council.
The DWP press office issued a statement that said the fact the breaches were detected proved that CIS security measures were working.
"The bulletin included a reminder for local authority staff of the penalties for inappropriate accessing of customer information," it stated. "This is an indication of how seriously the department and local authorities take data security."
The penalties for unauthorised CIS access, such as viewing personal records or those of others they may know, include possible disciplinary action or prosecution.
Mark Evans, marketing and communications director at IT security specialist Imerja, said the incidents proved there is a real need for staff in every organisation to be better educated about IT security policies.
"The problem remains that, even with restricted access, there are still people who struggle to understand the importance of IT security and will write their login details on Post-It' notes for anyone to see," he said.
"What we don't know in this case is whether any of the detected breaches were malicious or if they were simply people misusing the database by taking shortcuts or even using it as a contacts directory. People don't realise how easy it is to breach IT security protocol."
