You would have thought that with the mass public objections to Digital ID including nearly 3m signing a online petition, the construction of the framework for Digital ID would be robust and demonstrate technical competence but you would be wrong.

We have our Ministers offering worthless words about world leading security and safety of our data, but the reality on the ground is a catalogue of errors, cut corners, and alarming vulnerabilities. New reports and whistleblower testimonies have blown the lid off the government’s backbone to the Digital ID, the GOV.UK One Login system. They reveal a project that is not only dangerously insecure but has allegedly outsourced our national security to the lowest bidder.

Outsourced to Romanian with no security checks

So whilst these Ministers continue the narrative that this system is secure, the picture they try to paint is collapsing around their ears. Investigative reports from late 2025 revealed that critical development work for the One Login system was allegedly offshored to contractors in Romania without the knowledge of senior members of the project team. Whistleblowers within the project also warned that developers overseas were granted access to sensitive system components without the necessary security clearance.

Security testing failure

Even more chilling are the reports of a Red Team test, a simulation designed to test system defences, that failed miserably. Ethical hackers reportedly managed to plant malware on a system administrator’s device and access sensitive areas of the network without detection. The system’s security didn’t log anything. The breach went entirely undetected by the security monitoring teams. Beta versions of software deployed to a staging server for testing always have issues, hence the very nature of a beta testing phase before release, but a security system not picking up anything from an intrusion and placing of malware during a testing cycle is unbelievably incompetent.

If a test team can walk through the front door unnoticed when the security is on the look out, what are foreign intelligence agencies like China or criminal gangs already doing? And if you think that data is securely encrypted at rest you really think thats going to be the case when you know of other complete incompetence? Its highly doubtful and don’t forget, China are already harvesting encrypted data that can’t be encrypted today but once quantum computing becomes more accessible it will be cracked within weeks.

Contractor Certification lapses & NCSC concerns

Don’t worry, it gets much worse. In May 2025, it emerged that the One Login system had actually lost its certification under the government’s own Digital Identity and Attributes Trust Framework. Why? Because a key technology supplier failed to renew its compliance.

The NCSC (National Cyber Security Centre) has reportedly flagged risks relating to bulk data theft and identity fraud, warning that the system could expose the locations of vulnerable individuals, such as those in witness protection.

Governments cannot be trusted

These MPs who throw around phrases like ‘safe and secure’ are asking us to trust them with a single digital ID that unlocks our entire lives from health records to tax details, banking, travel and location. But their track record suggests they couldn’t be trusted to run a bath, let alone a national identity database. Over the last five years, the UK government and its contractors have presided over a wild west approach of data protection, characterised by amateurish errors and catastrophic hacks. They demand total transparency from us, failing their own standards, while their own systems leak like a sieve.

• Ministry of Defence Payroll Hack (May 2024): In one of the most embarrassing breaches in recent history, the banking details and personal addresses of 270,000 serving personnel and veterans were accessed. The breach, blamed on a malign actor (widely suspected to be China), targeted a third-party contractor system, exposing our armed forces to potential coercion and fraud.

• Email Hacks of Parliamentarians (March 2024) Security services revealed that APT31 conducted reconnaissance activity (phishing and email monitoring) against British MPs and peers. The targets were those who had been vocal critics of the Chinese government, such as members of the Inter-Parliamentary Alliance on China (IPAC).

• Critical National Infrastructure Hacks (August 2025) Salt Chinese-linked companies were identified as targeting foreign governments and critical telecommunications networks. In December 2025, the UK sanctioned two specific Chinese firms (i-Soon and Integrity Technology Group) for their roles in managing botnets and providing hacker-for-hire services to Chinese intelligence.

• The Electoral Commission Cyber-Attack (Revealed Aug 2023): For over a year, hostile actors had access to the Electoral Commission’s servers without anyone noticing. The attackers accessed the names and addresses of 40 million voters registered between 2014 and 2022. It was arguably the largest data breach in UK history, yet the public was kept in the dark for months.

• PSNI Spreadsheet Disaster (Aug 2023): In a display of sheer administrative incompetence, the Police Service of Northern Ireland accidentally published a spreadsheet online in response to a Freedom of Information request. The document contained the names, ranks, and duty locations of all 10,000 officers and staff. In a region where police security is life and death, this error forced officers and their families to move house in fear for their lives.

• The Capita Breach (March 2023): A cyber attack on government outsourcing giant Capita left dozens of local councils and the UK’s largest pension fund exposed. The breach compromised the data of thousands of citizens, proving that outsourcing vital state functions to the private sector often just outsources the blame when things go wrong.

• Home Office Delete Blunder (Jan 2021): A coding error led to the accidental deletion of 15,000 police records from the Police National Computer, including fingerprint and DNA records of suspects. Criminals were effectively given a clean slate because the Home Office couldn’t manage its own Delete button.

The pattern is undeniable. Governments are not capable of managing a centralised, high-security digital identity infrastructure. They are building a honeypot for hackers, and when it inevitably goes wrong, it will be your identity that is stolen, and lets be honest, probably by China now they are about to be given the go ahead for the biggest state monitoring operation in the EU right here in central London right next to critical communication cables.