DIGITAL ID data would be a "highly valued prize" for extortion gangs and hackers, an expert has said.
On September 26, Prime Minister Keir Starmer announced plans to make digital ID mandatory to prove your “right to work” in the UK, prompting public outrage from across the political spectrum.
Digital ID is not a new idea – it is used in many countries around the world, from Estonia to India and Nigeria, with the European Union (EU) set to introduce its own iteration.
Concerns over civil liberties, privacy and human rights abound, and while details of the system are still thin on the ground, one looming concern is that the data held in a centralised system will be a prize waiting to be won by hackers and bad-faith actors, who could seek to sell private information on the dark web.
Duncan McCann, head of tech and data at Good Law Project, told the Sunday National that a digital ID database would be highly sought after.
“One thing that you can be sure about, given enough time, is that all data will become public. It's just a matter of when rather than if, in my view,” he said.
“It is impossible to make a 100% secure system.
“All you can do is make it secure enough against the threat that you expect to face, and so you can expect to face a really massive threat from this because this is a hugely valuable data set with everybody's personal details, along with the bit of information that gives them a right to work there, and potentially the photo attached to them.
“This would be a high-value prize for any extortion gang, any fraudsters operating.”
McCann said that single systems, like one that supports digital ID and “aggregates everything together” can be efficient, but have risks.
“I think it would only be a matter of time, as we've seen with most other sensitive databases, that they would end up on the dark web,” he added.
There have been many notable hacks on secure databases holding important data in Scotland and the UK in recent years.
In March 2024, a ransomware group stole an estimated three terabytes of data from NHS Dumfries and Galloway, which was put on the dark web.
It is understood to have included clinical information on thousands of patients, both adults and children, as well as financial data on staff.
The Ministry of Defence (MoD) was hacked in May 2024, with the personal information of serving UK military personnel accessed through its payroll system.
The information is understood to have contained names and bank details of current – and some former – armed forces members. In some cases, personal addresses were believed to have been accessed.
And, in 2022, the Electoral Commission (EC) was discovered to have been hacked by Chinese cyber spies who accessed the private details of 40 million UK voters.
The hackers had access to the full open electoral register, which contains names and addresses, as well as read every email sent and received by the EC for over a year while they had access to the system.
“Every day when we leave our house, we lock our door with that key, and it feels really safe, McCann explained.
“But it's very easy for a motivated person who wants to get in to get in, and it's a bit the same way with our data, there's nothing that we can ultimately do to stop a really motivated attacker getting it.
“Even at an enterprise level, it's very, very hard to protect it fully. “There isn't a great track record of being able to keep this really sensitive data private.
“I think it should only be done if the projected benefits by far outweigh the risks.”
McCann added that it was hard to see “what benefits we’re exchanging all of these known risks for”.
He said: “For all these very uncertain benefits that again, international experience and the track record, just don't make it clear that we can achieve the goals of stopping illegal working and illegal migration. It just doesn't feel possible.”
McCann also said that, as employers and others may be repeatedly accessing the database to check the right to work for employees all across the country, it would make it easier for hackers to find a way in.
“What we would be seeing is every single employer is able to constantly ping this thing, check its information, and so that means there'll have to be all of these data flows happening all of the time, and again, that just opens up a massive, much bigger surface area to potentially exploit an attack,” he added.
“I think that remains definitely a big concern.”
