"Huge" island-wide security risk identified in online tax system

Monday 06 May 2019

Fears that sensitive personal data is at risk of being breached because of Guernsey’s out-of-date Revenue Service security system, have been raised with the Office for Data Protection Authority (ODPA).

The States Revenue Service website ‘eforms.gov.gg’ processes tax returns for individuals and businesses. The service confirmed to Expressit has “identified a risk” in the system which is still in place.

“The system stores all the passwords in plain text in the database, a practice which has been considered a huge security risk for well over a decade,” said freelance Developer and Technology Consultant Jim Rouse, who made the complaint about the system to the ODPA. 

“It's a violation of GDPR but it's also a huge liability if the database is compromised.

“Database breaches are not uncommon, they are often achieved by simple attacks by unsophisticated attackers,” he said. 

The system is an eForm platform which has been operated by ‘web labs’ since 2007.  

Pictured: The eforms.gov.gg website under scrutiny. 

“As far as I can tell the company that made the original system is still going and supporting councils [in the UK], so they have more up to date versions, but it seems the Guernsey one has never been updated,” said Mr Rouse. 

Mr Rouse said breaches of this sort can often lie undetected:

“If an attacker gets ahold of your user database, essentially a big spreadsheet of user information, they could then look up any user and password they wanted. 

“Worse than that, because humans are bad at security, we tend to use the same passwords for things, so an attacker might try to access, for example, your email account using your password. Once they have your email account they could gain access to practically any account you have on the internet as almost all of them allow you to reset your password from email.

“Consider the potential sensitive data concerning finance and high net worth individuals on this island and then the potential reputation damage.I'm a low net worth individual but I still don't want my personal finances plastered across the dark web,” said Mr Rouse.  

Pictured: Developer Jim Rouse. 

Mr Rouse also has concerns about the way the States communicates with website users to set passwords, 

“Not to mention simply searching your historic email for the word ‘password’ and finding any emails, like those of the Guernsey online tax submissions service, that send your password in plain text over email. Industry practice for many years now has been to, at the bare minimum, securely ‘hash and salt’ passwords, which is similar to encrypting them in the database.

“Even that now has become out of date as more sophisticated techniques are able to leverage the sheer amount of compromised historical data to calculate likely passwords out of this,” he said. 

Sarah Davies, Head of Customer Services at the States Revenue Service said The States of Guernsey takes cyber security very seriously. 

“The ability to complete an income tax return online was launched in 2007 and regular reviews of the online system are carried out by way of penetration testing where risks to security breaches are identified and plans are put in place to address them as appropriate.

“The storage of plain text passwords in the database has been identified as a risk from our proactive penetration testing.  The Revenue Service are actively undertaking steps to rectify this to ensure all elements of the system adhere to the highest standards of data security.

“The eForm system login is protected by four different elements, which are the login email, password, tax reference and the memorable word. Therefore, the password alone is not enough to access any sensitive data. The registration email that is sent from the Revenue Service in terms of the password is delivered in plain text, as is common in many similar private sector services.  While the service is not responsible for the password management of individuals, we encourage users to change a password within the online service.

“More widely, improved cybersecurity along with better efficiency and ease-of-access, is a key objective of the proposed Future Digital Services programme which is due to be debated by the States of Deliberation in June. The programme will ensure the latest technology is applied and regularly updated in every area where the public interacts with government online,” she said. 

Last October the States launched a survey of the Revenue Services when income tax and social security services were combined into one Revenue Service. It reported that overall satisfaction averaged at 3.01 out of 5. 

The ODPA confirmed they had received a complaint but could not comment further at this time.