ICO website security certificate expired yesterday - is it breaking its own rules?

Site features facility to register user company details, which may present security risk

The Information Commissioner's Office (ICO) website has an out of date SSL security certificate, and has been running since 11.59pm yesterday as an "untrusted" site - despite the page including facilities to share private data with the ICO.

Visitors to the page are greeted with messages informing them that the ICO - which is responsible for upholding good data security and privacy practice in both the public and private sectors of the UK - may be "trying to steal your information", including passwords, messages or credit card data, or simply that connection to the page "is untrusted", and that the ICO's page may be a fake version impersonating the genuine one.

While it's unlikely that the ICO's page has been hijacked in any way, such a simple security oversight on the organisation's part is ironic, and potentially problematic as the site appears to include the option to gather private data (for notification about the Data Protection Act, ironically) via a company registration function.

Solving the problem would be as simple as the ICO purchasing a new security certificate from any number of third-party suppliers.

Computing has contacted the ICO for comment, but while the organisation maintains it is aware of the out of date certificate, we are still awaiting an official statement. The organisation's site now states it is having "technical problems uploading" its new security certificate, which it is "working to resolve".

Visitors to the page are now being redirected to an http version of the page rather than the secure https original while the issue is resolved.

The ICO has been criticised several times in the past for seemingly focusing its fines on the public sector while being unduly lenient toward private sector companies. Last week the organisation was given new powers to keep closer tabs on the NHS via regular audits, but the ICO reported back in January that shoe retail chain Office, which recently exposed a million customers' personal and financial details to risk via a security breach, was just let off with a warning.