Lessons Learned

Back to top

Generic Login & ID Card Creation

Published on 26 Jul 2018

Identification cards are issued by public agencies for a myriad of reasons. These cards can be a valuable commodity as they often bring benefits such as access, power, privilege and financial advantage to a person who holds one.

It is important that the creation and supply of identity cards is well governed to prevent inappropriate access. 

The Independent Commissioner Against Corruption recently concluded an investigation into an allegation that a public officer was inappropriately creating and supplying false identification cards.

Allegation & investigation

In 2017, the Office for Public Integrity (OPI) received a complaint alleging that a public officer was creating false identification cards for which the public officer was receiving a benefit.

The matter was assessed as raising a potential issue of corruption in public administration and an investigation commenced.

During the investigation it emerged that card creation facilities were available on a small number of shared terminals which could be accessed by several employees. Those terminals contained the software required to produce the cards. That software was accessible via a generic login that was known and used by many staff.

Although the card creation system did produce a dated log confirming that a card had been produced, that date could be changed manually. In addition the log did not capture the identity of the person making the card, nor did it capture the identity of the person for whom the card had been made. If cards had been falsely produced the system would contain no adequate record.

Lessons learned

This investigation identified serious vulnerabilities in the use of generic logins and other failings in identification card making processes and procedures.

Generic Logins

The use of generic logins is a major corruption risk. Even if the system had created a log that showed false cards were being produced, the system alone would not have captured evidence as to who had created the false card. Without detecting a person in the act of creating a false identity card, the conduct could go undetected for a prolonged period and put the safety and security of people at risk.

Agencies are encouraged to identify any systems in use that utilise generic logins. If such systems are identified, steps should be taken to determine the risk associated with the use of the system and, as necessary, establish a method of identifying and logging system access and use.

ID Cards

The investigation found that card making facilities were generally unsupervised and the risks associated with creating false ID cards was not well recognised. In addition, blank and spare cards were not held securely. 

A degree of caution should be exercised when giving employees access to the equipment and facilities necessary to produce ID cards. 

Likewise, thought should be given to how your agency might recover an identity card that a person is no longer entitled to.

Contact Us

If you have a suspicion of corruption, misconduct or maladministration, you can make a complaint or report to the OPI via the online form or by calling (08) 8207 1777.

For more information on the definition of maladministration or to request an education session for your agency,  visit the events & training page.