@Anonymous Coward
You really don't understand what you are talking about, do you?
#########################
1) Why should databases be distributed? Should just be 2 data centres, a live one and one replicated for Business Continuity.
#########################
A database without which the entire country will grind to a halt based on a simple live+backup structure? OK, they *may* do it that way, but the ensuing chaos when the main site goes down and the backup won't come up would bang several nails into the Government's coffin lid. We ain't talking about a piddling little ecommerce site, here.
############################
2) A terminal verifying an ID card wouldn't need to receive ID record details, just a verification YES or NO from a service interfaced to the database. In fact, the biometrics will also be stored on a chip on the card, so in most ID verification use-cases the data never leaves the terminal, the card software just returns a YES or NO - a bit like how chip-and-pin works, the pin is on the card, the terminal only calls the database to verify the amount of the transaction and not the pin, the pin doesn't get transmitted anywhere.
############################
And what about the terminal used by clerks and officials to input/view/edit data? If the biometric verification is performed 'on-chip' then the system will have no way of identifying a forged ID. In other words, unless the biometrics are *centrally* verified, they are vulnerable. If they *are* centrally verified, they are vulnerable. Or, to put it another way, just like biometric passports already have been, biometric ID cards *will* be compromised, and that means the data they are protecting will be compromised.
############################
3) Database backups can be automatically encrypted to prevent them being of use if they are lost or stolen. Indeed, individual columns in tables in databases can be specified to be encrypted so that they're meaningless without properly authorised access.
############################
And backups can be made that *aren't* encrypted. We are back to that underpaid sysadmin and his mafia payoff again. Or even a run-of-the-mill cock-up like the one that just occurred.
Authorised access. Are you kidding me? That means *nothing* at all. All you need is the access credentials of an 'authorised' person and you can read the lot. People leave passwords on bit of paper, they leave their smart cards lying around. People can be bought. People are stupid. You can encrypt away to your hearts content but it only takes one person to be forgetful / stupid / corrupt and all that encryption is worthless.
############################
4) You're right about financial incentives being the most common way to enlist inside help with fraud. That's why any security clearance for government data centres includes a financial background check. Those with "large mortgage arrears" need not apply.
############################
Are you *seriously* that naive? We are talking about the people (the Home Office) who employ illegal immigrants as security guards, here . And while 'background checks' may show up a mortgage arrears, there are *plenty* of ways to owe (very nasty) people a *lot* of money that *won't* show up on any background check. And people can always get into financial shit *after* they have started work too.
It is virtually impossible to implement a system like the national ID register that will be administered, at varying levels, by, literally, thousands of people and make it totally secure. Personally, if it were competently built, I'd give it, at most, 5 years after it goes live before it is compromised.
Knowing the underpaid and overworked people that will be building the system I would hazard a guess that its security will be totally blown long before it goes live, however.
And, underlying all of that, this whole pile of shite is going to be run by HM Goverment who, time and time and time again have shown that they are totally clueless when it comes to information technology and have shown time and time and time again that they, *absolutely* cannot be trusted to keep our personal details secure.