The £1.8bn Digital ID Scheme That Whistleblowers Say Can Be Hacked
Sold as an enforcement fix, built without a mandate — and now facing serious security warnings.
The government’s plan to make Digital ID mandatory for every adult by 2029 has been sold as an enforcement tool — to crack down on illegal immigration, illegal working, and “stop the boats”.
I’ve already explained why that pitch doesn’t stand up: Digital ID changes paperwork, not enforcement capacity. But the bigger concern is security. And this week, that concern became impossible to ignore.
An ITV News investigation, based on confidential documents and testimony from multiple senior civil service whistleblowers, reports that GOV.UK One Login — already used by more than 13 million people and set to underpin Digital ID — is failing mandatory cyber-security standards.
🚨 A System That Fails Quietly Is the Most Dangerous Kind
According to the whistleblowers, One Login is not meeting the government’s own “Secure by Design” and Cyber Assessment Framework requirements.
The most serious detail isn’t simply that vulnerabilities exist. Every complex system has vulnerabilities.
It was during a formal “red team” exercise earlier this year that testers were able to access sensitive parts of the system without triggering any security alerts.
That distinction matters. A system that detects intrusion can respond, isolate damage, and recover. A system that doesn’t detect intrusion cannot even say whether it has already been compromised.
Security without visibility is not resilience. It’s blindness.
Whistleblowers also raised concerns about access controls, including reports that individuals without the expected level of security clearance — and overseas contractors involved in development — had access to core components of the system.
Several insiders warned that if a hostile state actor or organised criminal group gained effective control, access to critical services such as pensions, welfare, and passports could be disrupted at scale.
That is what centralisation does: it turns technical failure into national disruption.
🧨 Centralisation Creates a Single Point of Failure
Digital ID is often described as a “wallet” or convenience layer. In practice, it functions as a gateway. As more services are routed through a single identity system, that system becomes a single point of failure for everyday life. If it goes down — through cyberattack, outage, or corrupted data — the impact is immediate.
You can’t prove who you are.
You can’t access services.
You can’t resolve problems quickly, because everything depends on the same system.
Decentralised systems fail locally. Centralised systems fail everywhere.
🌍 Europe Has Already Stress-Tested This
This isn’t theory. Other countries rolled out national digital ID systems first — and the record shows what happens when identity infrastructure scales.
Estonia, often held up as the gold standard, was forced into emergency remediation after the ROCA cryptographic flaw undermined around 750,000 digital ID cards. France has suffered repeated large-scale public-sector data breaches, including the 2024 France Travail incident affecting roughly 43 million people. And Germany’s eID system has faced demonstrated attack paths where malicious apps can intercept credentials and enable account takeover for linked services.
Different systems, same lesson: at the national scale, identity failures don’t stay small. They spread.
🤖 AI Raises the Stakes
AI can be a force for good — but it also shifts the balance of power towards attackers.
The state’s reassurance often rests on biometrics, liveness checks, and automated identity verification. The problem is that these safeguards aren’t static. As AI becomes more sophisticated, the tools used to defeat verification systems become cheaper, faster, and easier to scale.
That means the threat isn’t just “a hacker” breaking in once. It’s industrialised fraud: synthetic identities, automated attempts, deepfake-assisted verification, and malware designed to bypass checks at the device or pipeline level.
In short: the more the government relies on digital verification as a gatekeeper, the more it creates an incentive for adversaries to build better ways around it — and AI accelerates that arms race.
🚫 This Still Doesn’t Fix Illegal Working
Even if the security risks didn’t exist, Digital ID would still fail on its own terms.
Illegal working doesn’t happen because Britain lacks identity checks. It happens because enforcement is inconsistent, inspections are limited, and penalties are rarely applied at scale. A digital credential doesn’t change those fundamentals.
Countries with long-standing digital ID systems still face illegal working and irregular migration for exactly that reason.
Worse still, concentrating enforcement into a single digital identity system introduces new risks: identity theft, account takeover, spoofed verification, and AI-assisted fraud. These are not hypothetical threats — they are already well documented in biometric and identity systems around the world.
A compromised system doesn’t strengthen enforcement. It creates new ways to bypass it.
💷 The Cost — And the Silence Around It
There is also the question of money.
The cost of the Digital ID programme — £1.8 billion — did not feature in the Chancellor’s speech. It appeared buried in the OBR documents instead.
There is no new funding attached. The Home Office is expected to absorb the cost within its existing budget, meaning pressure — and likely cuts — elsewhere.
That matters because large public-sector IT projects have a consistent track record: they rarely arrive on time, on budget, or fully to specification. Whole-population identity systems involving biometrics and cross-department integration are among the highest-risk of all.
If this overruns — as so many comparable projects have — the question won’t be whether more money is needed, but what gets cut to pay for it.
✅ The Verdict
Digital ID is being presented as a solution to illegal working, to immigration control, and to enforcement more broadly.
But the evidence points in the opposite direction.
We are being asked to accept a mandatory identity system for the entire adult population, built on technology that whistleblowers say is failing basic security benchmarks, funded without new money, and sold on promises it cannot realistically deliver.
And it’s worth stating plainly: there was no manifesto mandate for this. A policy this sweeping — one that would make a single digital gateway compulsory for every adult — was not put to the public for consent at the ballot box.
That isn’t control. It’s centralising risk — technical, financial, and operational — and hoping the system never gets tested.
History suggests it will.
✍️ Jamie Jenkins
Stats Jamie | Stats, Facts & Opinions
📢 Call to Action
If this helped cut through the noise, share it and subscribe for free — get the stats before the spin, straight to your inbox (no algorithms).
📚 If you found this useful, you might also want to read:
📲 Follow me here for more daily updates:
This is Starmer trying to stay in line with EU mandates before joining them again
and after ID cards - computer chips under the skin !