Channel 4 News has just run an exclusive story about the NHS Doctor Application system has been exposing every application form completed by trainee doctors. Victoria McDonald and Ben Cohen discovered this morning what appear to be files containing all the details from the application including name, address, age, religion, sexuality, criminal records (if they had and), and they're references etc on an Internet facing address.
Thus far there is little being said about how it happened, and by that I mean whether it was the system or a person misusing the system. Theoretically speaking, it could be the system itself which creates an extractions from a database of applications, puts them in a file for later delievry to an HR team maybe? The implication being that the system is writing those files to an insecure place, which is poor if it's the case.
The other possibility is that an administrator, for some reason, ran an ad hoc extraction of data, dumped the file somewhere and wasn't thinking. In which case they should probably be disciplined for being a prat, a bit like what happened last year when AOL managed to publish its customer's searches on the Net for everyone to see.
What bothers me most is how - if it was the system - the application managed to get through operational acceptance procedures. Any sysadmin worth his salt would spot a security flaw like that and stop it going live. Having said that, this is a Government IT project in the NHS, so what do I know? I work in the private sector.
Update: Ben Cohen's report here seems to suggest that it was a person that decided to store the information on an external Internet facing server (did they want to do work at home?). The mind boggles at what sort of idiot would do such a thing if that is the case. Didi they hope no one would find it thereby going for the "security by obscurity" principle?