Government departments responsible for running health and social care, and for collecting taxes, are using outdated software that leaves them wide open to cyber-attacks, according to a disturbing new investigation.
The use of “legacy” servers and databases has been uncovered through freedom of information (FoI) requests from the low-tax pressure group the TaxPayers’ Alliance. It has found that many of the systems in Whitehall were so out of date that they were no longer supported by Microsoft and would cost huge sums to replace.
The FoI requests were sent across Whitehall, but only three departments responded. Responses from HM Revenue and Customs (HMRC) showed that it was using tens of thousands of vulnerable servers and databases. Both the Department of Health and Social Care (DHSC) and the UK Atomic Energy Authority also reported using outdated software. Experts say that the use of old servers is far more widespread in Whitehall than the FoIs reveal, and that many IT systems need specialised updates in order to keep data safe, with the cost likely to run into hundreds of millions of pounds.
The revelations will raise further questions about the DHSC’s often chaotic responses to major health challenges, such as the recent pandemic, when it was reliant on such old systems. They will also call into question the feasibility and speed of moves towards a more digitised tax system that is a key aim of HMRC.
A former civil servant turned whistleblower who used to work on cybersecurity while in Whitehall told the TaxPayers’ Alliance: “The ongoing use of legacy systems in government is a disgrace and completely inexcusable. We move at such a slow pace that it seems only to get worse.
“In secure bits of the private sector like banks, heads would roll until all legacy systems were patched or replaced. These legacy systems mean the public simply cannot have confidence that government is protecting their personal data. These legacy systems are ancient, with a poor user experience too, so there’s every reason to change them.
“The problem is so bad that some of these systems could be taken down by an enthusiastic child – the vulnerabilities are publicly known, and pre-made malware is readily available. It keeps me awake at night worrying that at any moment, a key HMRC system or a hospital might get taken down because we have not got the most basic protections in place.
“In a world of highly sophisticated and bespoke cyber-attacks from elite hackers Russia and China, the fact we are so insecure is terrifying. As taxpayers, we deserve better.”
John O’Connell, chief executive of the TaxPayers’ Alliance, said: “These numbers are deeply troubling, showing that key parts of government remain reliant on ancient IT systems, despite being exposed to well-documented serious cyber-vulnerabilities.
“This failure is exposing data to criminals and costing taxpayers billions in maintenance and incident management.
“Ministers must urgently commit to bringing the state in line with private sector standards, rather than wasting billions on pointless pet projects.”
Last week, in a further sign of internal problems at HMRC involving technology, and the costs of updating it, a damning report from parliament’s spending watchdog warned that its long-delayed digital tax drive would cost six times as much as planned.
The National Audit Office (NAO) said HMRC’s Making Tax Digital programme was now three years late and more than £1bn over its original budget.
Meg Hillier, chair of the public accounts committee, said: “HMRC wanted to increase tax revenue, but completely underestimated the cost and scale of work required to move from its legacy systems and by business taxpayers to move to digital records.”
HMRC said it was making good progress in modernising its IT estate, something it saw as a priority.
The UKAEA said that the department had an ongoing programme of modernisation and was in the process of replacing a small number of legacy systems.
The DHSC said it would have removed all legacy IT from the department “in the coming weeks”.
