"The Information Commissioner’s office (ICO) is the UK’s independent public authority set up to uphold information rights. We do this by promoting good practice, ruling on complaints, providing information to individuals and organisations and taking appropriate action when the law is broken."

"We are responsible for data protection in England, Scotland, Wales and Northern Ireland; we also have some international duties."

With responsibilities like that, you'd expect the ICO to be the pinnacle of data security... wouldn't you?


3 years ago, I contacted the Information Commissioners Office to alert them to several security flaws which needed to be addressed.  They have since made numerous attempts to fix them, all to no avail.

XSS (Cross Site Scripting)

Cross Site Scripting exploits the trust a user has in a web page.  If you load a page from http://www.ico.gov.uk, you'd expect that every piece of information you see has been put there by the Information Commissioners Office.  That's usually the case, until an XSS flaw is introduced.  XSS allows a hacker to alter what you see, how the page functions and take control of the entire page.

SQL Injection

SQL injection exploits potentially allows any visitor to view, modify or delete the contents of a database-driven website.  In this case and perhaps ironically, the "Register for Data Controllers" was found to be vulnerable.  For obvious reasons, I can not provide a demonstration link, as this could potentially put the ICO and your information at substantial risk.


An SSL certificate is an essential prerequisite of any web site which needs to collect personal information safely.  Without it, any information you enter can be intercepted and read by anyone.  It's akin to your bank sending your statement without an envelope; it's on view to everyone at every stage of the delivery process.  The same applies to the web.  If you register to become a data controller at the ICO, you'd be forgiven for assuming that only the ICO can see your details.  Unfortunately, that's not the case.