UK Scouts database 'flaws' raise concerns
System holds records of ALL scouts in the country
Updated Serious concerns have been raised over the security of the Scout Association's database, which holds the contact details of 450,000 young people and volunteer adults, The Register can reveal.
A Scout leader contacted the Register to express grave concerns that the association's Compass database is not secure, despite the organisation's assurances it had been tested. The system has been in development for two years and went live in September.
But this week it emerged users could change details such as date of birth of other members – the same details used to conduct password resets. That functionality has now been temporarily removed after members took to the Compass forum to complain.
Earlier in the week, the system's search functionality had to be modified after members reported that a basic records search yielded too much information.
El Reg understands the system has been dogged with problems since going live. But the current flaws raise questions over whether security bugs could give access to non-members.
"To many people this calls into question the initial assurances given on security," said one source familiar with the system. "If these bugs are being found by regular users, I am pretty sure the vulnerability assessment or code checking was poor...
"And I am sure a determined effort would yield many more holes that may not need you to be a member," our insider claimed.
The source added: "It may have been designed with the Data Protection Act compliance in mind, but many leaders feel it is not fit in this regard."
A spokesman from the association said the safety and security of everyone associated with the movement is always paramount.
"We have engaged highly regarded contractors and security experts to ensure that we comply with data protection legislation and keep our data safe. We regularly check the security of our systems by using specialists in this field."
Every adult using the system will have been thoroughly vetted via criminal records disclosure checks, he said.
"Compass is not a publicly accessible system. We have been live testing the system across the UK since the autumn of last year. Our volunteers have been using the system for live real time work since the Christmas/New year period."
He said managers had been able to see contact membership data of members but could not edit data outside their level of management control. "We are looking to remove the ability for our managers to see data that is not directly relevant to their role when carrying out data entry functions," he said.
"We have logged this issue with our suppliers, developers and data protection and security experts: we will then take any actions recommended by them." ®
A Scouts spokesperson contacted us since the publication of this story to say: "There is no evidence at all to suggest that there are any security bugs present in Compass that could grant access to data to non-registered users. We work with security experts to test the security of our systems on a regular basis to keep our data safe."