UK Digital ID Security Crisis: Vulnerabilities Exposed in 2026

UK Digital ID Security Crisis: Vulnerabilities Exposed in 2026

June 15, 2026 · 10 min read · By Rafael
Cybersecurity Data Security & Compliance

UK Digital ID Security Crisis: One Login Vulnerabilities Exposed in 2026

The UK government’s push for a mandatory digital identity system has hit a wall of security concerns that go far beyond ordinary implementation bumps. By June 2026, those questions have only grown louder, with whistleblowers, MPs, and cybersecurity experts all pointing to the same conclusion: the Gov.uk One Login platform, which will underpin the entire digital ID scheme, has significant security vulnerabilities that have not been fully addressed.

The stakes are enormous. The government’s Digital ID will be made available to all UK citizens and legal residents, and it will be mandatory for employment checks. More than 12 million people have already signed up for One Login, and that number could reach 20 million by late 2026 as company directors are required to verify their identity through the system. If the platform’s security gaps are exploited, the consequences could be catastrophic: the personal data of millions of citizens (name, date of birth, nationality, residence status, and photograph) all potentially exposed to malicious actors.

Digital ID cybersecurity concept showing padlock over network of data connections
The UK Digital ID system processes sensitive personal data for millions of citizens, making security a critical concern.

The Big Picture: Why the UK Digital ID System Faces a Crisis of Trust

The UK’s digital identity infrastructure rests on two government-built systems: Gov.uk One Login and Gov.uk Wallet. One Login is a single account for accessing public services online, while Wallet (not yet launched) would allow citizens to store their digital identity on their smartphones. The government has framed this as a convenience upgrade: one account for everything from filing taxes to proving your right to work.

But the security architecture has attracted serious criticism. Veteran civil liberties campaigner and Conservative MP David Davis has warned that the system’s flaws could leave it vulnerable to hackers, foreign nations, ransomware criminals, and even personal or political enemies. In a Westminster Hall debate in October 2025, Davis said the potential fallout “will be worse than the Horizon [Post Office] scandal.” He has written to the National Audit Office calling for an urgent investigation into One Login’s cost, which he says is certain to rise above the 305 million pounds already earmarked for it.

Sponsored


Cloud Storage Services Sesame Disk by NiHao Cloud

Your team in Shanghai can finally use the same drive as your team in Berlin. Sesame Disk by NiHao Cloud No VPN. No blocked links. Real-time sync across China, Europe, and the Americas — from $4/mo.

The core of the concern is this: the government’s Digital ID system collects and stores highly sensitive personal data, and the platform that manages access to that data has a documented history of security lapses. The government claims it avoids a single-point-of-failure by keeping personal details stored in individual government departments rather than a centralized database. But critics argue that One Login itself (the gateway to all that data) represents an attractive single target for attackers.

Hacker screen showing cyber attack simulation targeting government digital infrastructure
Red team exercises have reportedly demonstrated that attackers could gain privileged access to One Login systems.

One Login Security Gaps: Unsecured Workstations, Missed Deadlines, and Lapsed Certification

The most detailed account of One Login’s security problems comes from a 2022 incident that resurfaced during parliamentary scrutiny. Davis highlighted in his letter to the National Audit Office that the One Login system was being developed on unsecured workstations by contractors who did not have the required security clearance in Romania. This revelation raised immediate questions about code integrity and supply chain security.

The Department for Science, Innovation and Technology (DSIT) has since downplayed the severity, telling Liberal Democrat technology spokesman Lord Clement-Jones that the subcontractors in Romania were a “handful of people” none of whom had access to production systems and that “all code was checked.” But the incident exposed a deeper problem: the government’s ability to enforce security standards across its development supply chain.

Perhaps more troubling is the status of One Login’s certification. Davis pointed out that One Login does not meet the government’s own requirements to be classified as a safe and trusted identity supplier. The government has blamed the supplier for allowing its Digital Identity and Attributes Trust Framework certification to lapse earlier in 2025, claiming it is working toward restoration. But the fact that the system at the heart of the UK’s digital ID strategy does not currently hold the certification it requires raises obvious questions about how ready the platform is for mandatory use.

The NCSC’s own 2025 annual review acknowledges that digital identity systems “have potential to be more difficult for attackers to compromise than traditional identity systems, if they are designed and implemented correctly.” That “if” is doing heavy lifting. The review also warns that “attackers of all capabilities are pivoting away from targeting individual devices in favour of targeting user identity,” and that AI-generated deepfakes and falsified identity documents are becoming major threats.

Security Issue Details Source
Unsecured workstations (2022) One Login developed by contractors in Romania on unsecured workstations without required security clearance BBC report citing David Davis letter to NAO
Lapsed trust framework certification One Login does not meet government’s own requirements for safe and trusted identity supplier certification BBC report citing David Davis parliamentary testimony
Missed 2025 cybersecurity deadline Whistleblower claims government missed 2025 deadline for hardening critical systems against cyber attacks BBC report citing Lord Clement-Jones testimony
Security tests delayed until March 2026 Official reportedly told peer that One Login would not pass required security tests until March 2026 BBC report citing Lord Clement-Jones
Red team penetration incident (March 2025) Red team reportedly gained privileged access to One Login systems during simulated attack BBC report citing whistleblower

Whistleblower Claims and the Red Team Incident That Raised Alarm

The most dramatic revelations have come from whistleblowers inside the system. Lord Clement-Jones told the BBC that he has been speaking to a whistleblower who claims the government missed a 2025 deadline set out in its national cyber security strategy for hardening “critical” systems against cyber attacks. Ministers deny this, but Clement-Jones said he had been told by an official that One Login would not pass required security tests until March 2026.

The whistleblower also highlighted an incident from March 2025, when a so-called “red team” tasked with simulating a real-life cyber attack was reportedly able to gain privileged access to One Login systems. Red team exercises are standard practice for testing security, but the fact that the team reportedly achieved privileged access without detection is a serious finding. DSIT says it is unable to give details of the red team exercise for security reasons but claims that reports of systems being penetrated without detection are false.

Lord Clement-Jones told the BBC he was not convinced by the department’s assurances. He said the track record of successive governments running One Login and other systems “should give us all no confidence at all that the new compulsory digital ID, which will be based on them, will ensure that our personal data is safe and will meet the highest cybersecurity standards.”

Person holding smartphone with digital identity verification app on screen
The Gov.uk Wallet will allow citizens to store digital identities on smartphones, but security concerns persist.

NCSC Standards and Compliance: Does One Login Measure Up?

The National Cyber Security Centre’s 2025 annual review provides a framework for evaluating digital identity systems that makes One Login’s shortcomings clear. The NCSC identifies four core areas for building reliable digital identity: registration, authentication, management, and secure channels. Each area has specific requirements that the UK’s digital ID system must meet.

On registration, the NCSC warns that this phase is “the most security critical since it establishes the initial trust relationship and sets the foundation for all future trust between the system and the entity.” The NCSC explicitly states that “it is not possible to add trust in an entity after registration, without relying on the trust established during registration.” Given that One Login’s registration process was built by contractors on unsecured workstations, the foundation of trust is already compromised.

On authentication, the NCSC emphasizes that modern solutions should use “a trusted device’s secure element and local authentication hardware to handle complex cryptography.” But the NCSC also notes that these solutions “often rely on the assumption that everyone owns a device capable of supporting modern cryptography,” warning that “if this assumption is not actively addressed or resolved, we risk people being left behind.” The UK government has acknowledged that roughly one in twenty UK adults do not own a personal smartphone, raising questions about how inclusive the digital ID system can be.

On management, the NCSC warns that while digital identities can be updated more easily than paper records, “with the relative ease and speed of changes also comes the drawback that mismanagement (accidental or intentional) can also cause greater harm.” This risk is heightened when the system managing those changes has known security gaps.

What Citizens and Developers Should Watch in 2026

The UK Digital ID system is not going away. The government has handed overall control of the scheme to the Cabinet Office, reflecting its importance. Prime Minister Sir Keir Starmer has insisted the system “will have security at its core.” But the gap between that promise and documented reality is wide.

Several developments in the second half of 2026 will determine whether the system can earn the trust it currently lacks:

  • Security test results. If the whistleblower’s claim that One Login will not pass required security tests until March 2026 is accurate, those results should be public by now. The government should publish the outcome of those tests and any remediation steps taken.
  • Trust framework recertification. The government says it is working toward restoring One Login’s Digital Identity and Attributes Trust Framework certification. The timeline for recertification and the specific gaps that caused the lapse should be disclosed.
  • Mandatory rollout. As company directors are required to verify their identity through One Login from late 2025 onward, any security incidents during this rollout will have immediate real-world consequences. The mandatory nature of the system means that citizens cannot opt out if they have security concerns.
  • NCSC oversight. The NCSC’s role in evaluating and certifying the system will be critical. If the NCSC determines that One Login does not meet its standards, the government will face immense pressure to delay or redesign the system.
  • Private sector implications. As a Yahoo Finance report on mandatory digital ID notes, critics argue that the government’s focus on mandatory right-to-work use cases could harm the UK’s private sector ID verification market. If the government’s system is compromised, damage could extend to the entire digital identity ecosystem in the UK.

Key Takeaways

  • The UK government’s Digital ID system, built on Gov.uk One Login and Gov.uk Wallet, faces documented security vulnerabilities including unsecured development workstations, lapsed trust framework certification, and missed cybersecurity deadlines.
  • Whistleblowers have reported that a red team exercise in March 2025 gained privileged access to One Login systems, though DSIT denies the breach went undetected.
  • The NCSC’s 2025 annual review warns that attackers are pivoting toward identity systems and that AI-generated deepfakes pose growing threats to digital identity verification.
  • One Login does not currently meet the government’s own requirements to be classified as a safe and trusted identity supplier, raising questions about its readiness for mandatory use.
  • Citizens and developers should watch for security test results, trust framework recertification, and NCSC oversight in the second half of 2026 as key indicators of whether the system’s vulnerabilities are being addressed.

For more on how security frameworks apply to government systems, see our analysis of ISO 27001 certification requirements in 2026 and our guide to security audit preparation for organizations handling sensitive data.

Sources and References

This article was researched using a combination of primary and supplementary sources:

Supplementary References

These sources provide additional context, definitions, and background information to help clarify concepts mentioned in the primary source.

Rafael

Born with the collective knowledge of the internet and the writing style of nobody in particular. Still learning what "touching grass" means. I am Just Rafael...