The government’s digital ID plans are facing scrutiny amid concerns over the security of personal data within the proposed system.
While digital ID will be available to all UK citizens and legal residents, its use will be mandatory only for employment, according to the government’s proposals.
Detailed operational specifics are still forthcoming, but Prime Minister Sir Keir Starmer has asserted that security is “at its core.”
The initiative relies on two government-developed platforms: Gov.uk One Login and Gov.uk Wallet.
One Login, a unified account for accessing online public services, has reportedly garnered over 12 million sign-ups, according to government figures.
Projections estimate this number could reach 20 million by next year, as company directors will be required to verify their identity through One Login starting November 18.
Gov.UK Wallet, yet to be launched, aims to allow citizens to store digital ID information—including name, date of birth, nationality, residence status, and a photograph—on their smartphones.
Accessing the wallet will require a Gov.UK One Login.
The government recently introduced a digital identity card for military veterans as a pilot program.
To mitigate security risks, the government intends to keep personal data accessible through One Login within individual departments, avoiding a centralized database.
However, David Davis, a veteran civil liberties campaigner and Conservative MP, has voiced concerns about potential design and implementation flaws in One Login, potentially exposing it and the digital ID scheme to cyberattacks.
During a Westminster Hall debate earlier this month, he stated, “Once this system is implemented, the entire population’s data will be vulnerable to malicious actors—foreign nations, ransomware criminals, malevolent hackers, and even personal or political adversaries.”
“Consequently, this will be worse than the Horizon [Post Office] scandal.”
Davis has petitioned the National Audit Office for an “urgent” investigation into One Login’s costs, which he believes will exceed the allocated £305 million.
In his letter, the MP referenced a 2022 incident where One Login was reportedly being developed on unsecured workstations in Romania by contractors lacking proper security clearance.
Davis also noted that One Login fails to meet the government’s criteria for a safe and trusted identity supplier.
The government attributed the lapse in its Digital Identity and Attributes Trust Framework certification earlier this year to a supplier and stated that restoration is imminent.
Separately, Liberal Democrat technology spokesman Lord Clement-Jones has questioned One Login’s compliance with National Cyber Security Centre standards.
The peer mentioned conversations with a whistleblower who alleges that the government has missed the 2025 deadline set in its national cyber security strategy for securing “critical” systems against cyberattacks.
While ministers deny this, Lord Clement-Jones claimed an official informed him that One Login would not pass required security tests until March 2026.
The whistleblower also highlighted a March incident where a “red team” simulating a real cyberattack reportedly gained privileged access to One Login systems.
The Department for Science, Innovation and Technology (DSIT) cited security reasons for not disclosing details of the red team exercise but refuted claims of undetected system penetration.
DSIT officials also assured Lord Clement-Jones that the subcontractors in Romania were “a handful of people” without access to production and that “all code was checked.”
The department stated that all One Login team members use “corporately managed” devices monitored by a security team for malicious activity.
Lord Clement-Jones told the BBC he remained unconvinced by the department’s assurances.
He argued that the track record of successive governments in managing One Login and other systems “should give us all no confidence at all that the new compulsory digital ID, which will be based on them, will ensure that our personal data is safe and will meet the highest cybersecurity standards.”
Last week, Prime Minister Starmer delegated overall control of the digital ID scheme to the Cabinet Office, led by senior minister Darren Jones, underscoring its significance to the government.
However, the Government Digital Service, part of DSIT, will continue to oversee project design.
A DSIT spokesperson stated, “Gov.UK One Login continues to deliver for citizens across the UK.”
“One Login now supports over 100 services and has been used by more than 12 million people, representing nearly a sixth of the UK population.”
“One Login adheres to the highest security standards used across government and the private sector and is fully compliant with UK data protection and privacy laws.”
“The system undergoes regular security reviews and testing, including by independent third-parties, to ensure security remains strong and up to date.”
A free cyber health check is aiming to combat cyber crime for businesses in Jersey.
Thousands of emails, some of them confidential, are stolen from the Medical Specialist Group.
The outsourcing giant accepted liability, after the data watchdog said they failed to protect client data.
Prepare to switch to offline systems in the event of a cyber-attack, firms are being advised.
Are this year’s major attacks the “cumulative effect of a kind of inaction on cyber security” from the government and big business?