Concerns over the security of ContactPoint child database

(22/07/2009)

ContactPoint, the national children's database, has been devised by the Department for Children, Schools and Families to help the government monitor and intervene in children's welfare. It houses the name, address, gender, birthday and ID code of each child, their carers, and contact details for local authority services such as schools and doctors. Access to the database is facilitated by the Employee Authentication Service (EAS) authentication system which went live on 8 June, allocating a token to around 800 pilot employees initially with national roll-out planned from October.

Access privileges ensure that staff can only view the details they require. However, the system has already been delayed three times following security concerns over shielding the privacy of 55,000 children whose whereabouts need to be protected.

Overtis Systems has highlighted a number of concerns around the security of ContactPoint. The database carrying the details of 11 million children in the UK will be accessible by 390,000 users making the system highly vulnerable at thousands of endpoints. Overtis warns that the system would benefit from tighter security management, citing biometric authentication, administrator monitoring, change management, and auditing as potential areas for improvement.

Overtis Systems highlights a number of security weaknesses with regards to the ContactPoint system:

* Stronger authentication:
Two-factor authentication is stronger than relying on a password alone and EAS is based firmly on best practice and solid technology, with timed SAML Assertion. However, it still doesn't address the issue of hijacking another user's session by using someone else's computer while they are away from their desk. Given the sensitivity of the data within ContactPoint, serious consideration should be given to the deployment of biometric devices, preferably using finger vein technology, certainly for high-level access.

* Administrator access:
Across the user-base access is determined by role but there is little mention of how administrator access is monitored or managed. IT and database administrators will probably have system-wide access. This should also be secured, with administrator access subjected to the same security considerations as those lower down the chain.

* User Administration:
The sheer number of users on the system means that user administration - particularly removing user access or downgrading their access to the most sensitive data when they leave a particular role - is going to require substantial management and it is not clear whether this has been considered.

* Monitoring and Audit:
Logging and auditing a system of this size represents a significant challenge. Spotting suspicious or malicious activity or unusual patterns of use is likely to be highly problematic.

"Why the government has created this security headache in the first place, particularly when their track record on data handling raises serious questions, is something of a mystery. Risk management would suggest a far safer approach is to only catalogue the details of children who have received services," said Richard Walters, Product Director, Overtis Systems.

"Government spokespersons have stated that information from the database cannot be copied onto removable media but there has been no mention of endpoint security. The endpoint will almost inevitably turn out to be the weak link in the chain, with targeted malware a very real concern. Without comprehensive security at the endpoint, between the user and the data, it is relatively simple to copy data out of any application. In a Windows environment and with a little knowledge we'd even go so far as to say a child could do it".

Related topics:  Data management and data security   Fingerprint biometrics   Security management and policies 

Print version | Email to a friend | Related articles

Data breaches: Trends, costs and best practices gives you all the latest information on securing personal and corporate data, key recommendations for immediate action to improve data security, and how to respond to data breaches.

Other Security news and resources