MPs question security of digital ID system

Cite history of unsecured work on government systems

The UK government is facing growing scrutiny over whether the technology underpinning its flagship digital ID programme can adequately protect citizens' personal data.

The scrutiny follows a series of warnings from MPs, whistleblowers and cybersecurity experts.

The UK’s new ID scheme, which will make a digital identity available to all citizens and legal residents, is a central pillar of Prime Minister Sir Keir Starmer's plan to modernise access to public services.

Under current proposals, the digital ID will be mandatory only for employment, though officials hope widespread adoption will streamline everything from tax filing to healthcare access.

The digital ID will be based on two systems already under development: Gov.uk One Login and Gov.uk Wallet.

One Login, a single account for accessing online government services, already has over 12 million registered users, according to official figures.

The number is expected to rise to 20 million by the end of 2025, as identity verification through One Login becomes compulsory for new company directors from 18^th November.

The complementary Gov.uk Wallet, still in development, will act as a secure smartphone-based repository for key identity data, including name, date of birth, nationality, residential status and photo ID. Users will access it via their One Login credentials.

A pilot version of the technology is already being tested through a digital ID card for military veterans, launched last month.

Officials say personal data accessed via One Login will be stored across individual government departments rather than in a single centralised database, a move designed to mitigate the risk of large-scale breaches.

However, not everyone is convinced.

Veteran civil liberties campaigner and Conservative MP David Davis has accused the government of neglecting the security of citizen's data. He has warned that flaws in the design and implementation of One Login could expose millions of citizens to hackers.

"What will happen when this system comes into effect," he told a Westminster Hall debate, "is that the entire population's entire data will be open to malevolent actors."

Davis cited a 2022 incident in which development work on One Login was carried out on unsecured workstations in Romania by contractors lacking security clearance.

Davis also claims the system does not currently meet the government's own standards to qualify as a trusted digital identity provider.

The government blames a lapse in certification on a supplier issue and insists that compliance will be restored "imminently."

Further doubts have been voiced by Liberal Democrat technology spokesman Lord Clement-Jones, who says he has spoken to a whistleblower alleging that One Login has missed the 2025 deadline for securing "critical systems" under the government's national cybersecurity strategy.

The whistleblower reportedly told him the system would not pass key security tests until March 2026, contradicting official assurances.

The same source claimed that a government red team – a group of cybersecurity experts simulating a real-world attack – was able to gain privileged access to One Login systems during a test in March 2025.

While the Department for Science, Innovation and Technology (DSIT) confirmed that red team testing took place, it denied the system had been penetrated or that any such breach went undetected.

A DSIT spokesperson said the team of subcontractors in Romania was "a handful of people, none of whom had access to production systems," and stressed that “all code was reviewed and all development devices are corporately managed and monitored for malicious activity."

The spokesperson added, "Gov.uk One Login continues to deliver for citizens across the UK.

"The system undergoes regular security reviews and testing, including by independent third parties, to ensure security remains strong and up to date.”