How training details were 'stolen'

Computer training courses were popular

Training providers say security on the government's training accounts scheme was so poor that crooks could have accessed people's account numbers by guesswork.

You have to ask yourself how many of the 2.5 million people who supposedly registered for ILAs don't really exist

Training provider

Individual Learning Accounts (ILAs) were stopped across the UK in December because of fraud.

Ministers have said the final straw was that account numbers had been stolen from the database operated for the government by the management and software consultancy Capita, and were being offered for sale.

This has been blamed on unauthorised access by a few rogues who had registered as training providers.

How it worked

ILAs were open to everyone in the UK aged 19 or over and intended originally to run for five years, but were halted after little more than a year as allegations of misuse rose.

The first million people to open an ILA account were given £150 to put towards the cost of a course.

The next 1.5 million to do so were given 20% discounts off courses costing up to £200.

The subsidy was 80% for information technology courses - which is why so many have been to do with computers.

Individuals who applied for ILAs were sent account numbers which they then gave to a training provider.

Registration

Organisations had to register as training providers. More than 8,000 did so and the checks on them were minimal.

The providers were allocated an identity number and password for Capita's web-based system.

They would initially book someone onto the system as intending to take up training. This involved simply entering their intended course and the ILA number.

When that person began the training, the provider returned to the system and hit a "Confirm" button - and in about 10 days would be paid the £200 by the department.

Sequential

But according to a legitimate training provider, the ILA numbers were in sequences.

From actual numbers

Guess the next one:

. . . . . . 5039

. . . . . . 5050

. . . . . . 5061

. . . . . . 5072

. . . . . . 5083

They were 10-digit numbers, typically beginning with a 4 and ending with, for example, 133, 144, 155 - gaps of perhaps nine or 11 digits.

The sequence was easy to guess if you already had a couple of numbers: If there were numbers ending in 133 and 155, it was not hard to work out that there would be a 144, and so on.

If you guessed a valid number, the system would produce the name and address of the account holder and how much of the £200 had been spent.

If there was unclaimed money in the account, hitting the "Confirm" button would trigger the payment to you.

Trawling

This is put forward as one reason why, when many people came to take up their training, they found their account had apparently been used already with a training provider they had never heard of.

Legitimate training providers say any registered provider could scour the system for unused accounts.

Because the system gave them the person's name and address they could even send them some paperwork or a CD-ROM in the post and claim they had indeed provided "training", in case they were audited.

Some people were issued with more than one number, it is claimed.

Questions

One training provider who is angry about the mishandling of the scheme said that, as an experiment, he had attempted to register his 11-year-old son - putting the boy's date of birth as 1991 instead of 1981.

Four days later a form arrived for him to sign to claim a learning account.

"You have to ask yourself how many of the 2.5 million people who supposedly registered for ILAs don't really exist," he said.

He is critical of the laxness of the online system.

"Haven't they heard of the Data Protection Act?

"How would you feel being with a bank, for instance, knowing anyone could guess your account number and bring up your details and know where you live and how much is in your account?

"Anything that's on the internet has got to be made secure."

Design flaws

Capita has said the account numbers "were designed to be membership numbers only, not as part of the system of security measures".

It had worked to the Department for Education's specification.

It confirmed that it believed a limited number of the "closed community" of 8,000 learning providers had abused their authorised access.

Civil servants admitted to MPs this week that the system had not been "robust enough".

A spokesperson for the Department for Education said: "We are working closely with Capita to get a comprehensive account of how a small number of unscrupulous learning providers were able to exploit their access to the system.

Review

"We've also retained external assessors to provide an independent view of the problems and the extent to which existing security measures were properly specified and fit for purpose."

Capita is a highly successful company which enjoys considerable official confidence.

As well as the £50m ILA deal it has contracts with, among others, the National Criminal Intelligence Service and the Criminal Records Bureau, and many education authorities - its systems are the backbone of the electronic pupil census.

Its biggest contract to date - £500m over 10 years - involves taking over the TV Licence operation for the BBC.