Potential cyber implications of the UK's proposed digital ID system

Introduction

On 26 September 2025, UK prime minister Keir Starmer will announce plans for a country-wide digital ID scheme. The initiative will be mandatory for adults in the UK and provide a means for checking individual’s right to live and work in the country. According to senior figures in government, Starmer reportedly believes that digital IDs will help crack down on illegal working and modernise the state. This is not the first time that ID cards have attempted to be introduced in the UK, with the previous Labour government introducing the Identity Cards Act 2006 to combat identity fraud, terrorism, and illegal immigration. However, this was ultimately blocked by the Conservative-Liberal Democrat coalition.

The UK has reportedly taken inspiration from countries including Australia, Estonia, India, and Denmark, which also use similar digital identification schemes. Currently, checks relating to an individual’s right to work in the UK are conducted through physical documents rather than online. However, digital IDs will be checked against a central database under the proposed plans. The government has stated that the ID will make applications for services including welfare, childcare, and driving licences simpler.

This ID plan represents a shift in the government’s position, particularly as ministers rejected a call from previous Labour leader Tony Blair to introduce them just after the election was won in July 2024. Mandatory ID cards were previously only used during wartime, with the scheme last being scrapped in 1952.

This scheme will require legislation to be passed, something which may hit barriers due to opposition from MPs across the political sphere in the UK. Privacy groups have also expressed concern at the idea, with criticism about how it could be used for mass surveillance being circulated.

It is currently unclear who will have to register and how much information the ID will hold. Whilst the specifics of the ID card are currently unknown, other countries to adopt similar schemes include Sweden. Within Sweden, digital ID cards are known as BankIDs and can be accessed via an application on mobile devices. This is used to scan a QR code generated either by a business or government service to authenticate whilst providing verification of both identity and age. This includes signing documents, authorising payments, and accessing both banking and government services.

Reactions to the scheme

Much of the response to the scheme appears to be negative, with a petition already being created on the official government page to stop digital IDs being introduced. As of 26 September 2025, the petition has reached over 750,000 signatures. This demonstrates a strong negative sentiment from members of the public, who may see the scheme as an overreach of government powers. Parliament must consider all petitions which gain more than 100,000 signatures for debate, with a response also being given to ones which reach this number. This indicates the long process which the scheme will have to go through before any legislation can be passed.

Reform UK leader Nigel Farage uploaded a video to X (formerly Twitter) stating that digital IDs will be a form of “controlling the population” whilst the Liberal Democrats have said that it could not support “a mandatory digital ID where people are forced to turn over their private data just to go about their daily lives”. Conservative leader Kemi Badenoch has noted that there are arguments “for and against” the cards but also states that it is “a desperate gimmick” from the Labour government.

Cyber risks

One of the major concerns with the introduction of the digital ID scheme is the cybersecurity risk, particularly as the UK has recently been hit with significant attacks against its retail sector and high-profile organisations. Within many of these attacks, large portions of customer and company data have been stolen by threat actors. As such, there is currently a heightened concern about the loss of data, something which will likely be extended to the proposed scheme. From this, there are two significant threats. Firstly, if an attacker was able to compromise the proposed central database, it may be able to undermine the confidentiality and integrity of the digital ID card system. Through this, individuals may have access to essential services such as healthcare or banking removed which could present a potentially life-threatening issue. If within this service, there are mechanisms for managing access to different services based on social or financial status, such as welfare, this may provide threat actors a way to cause reputational damage to individuals. This could include changing key information about individuals such as their age or cause disruption through deleting IDs altogether. Secondly, a threat actor may be able to compromise large portions of the data. This may lead to significant numbers of digital ID cards being leaked either directly to threat actors or publicly on the internet.

The threat from this is clear as this opens the door for a multitude of different types of cyberattacks and fraud opportunities. For example, state-sponsored threat actors will view this information as highly valuable. If digital IDs are used as a critical asset nationwide, then an attack via a nation state advanced persistent threat (APT) could cripple the system and cause further widespread disruption. There have been previous incidents where APTs have conducted cyberespionage campaigns to provide their parent state with information of value, with a prominent example including Iranian group CharmingKitten targeting critical infrastructure across Europe.

One example may include the sale or sharing of these ID cards similar to that which has been observed with credentials. If the ID system provides access into government, banking, or healthcare services these would be high value assets to threat actors. As such, this could potentially allow for fraudulent transactions, identity theft, and further malicious activity. As with Sweden’s system, if this ID card provides a single point of access to multiple services, then it may act as a single point of access for threat actors into various sensitive personal accounts. This makes this more impactful than a credential leak as this not only provides access to a single service but may act as a pseudo supply-chain compromise. This will make it a high value target for threat actors, likely leading to the use of various techniques such as social engineering or the use of infostealer malware to gain access to the backend.

Another aspect of the recent attacks against UK-based organisations is the manner in which they were compromised. In both instances, compromise was achieved through the organisations’ wider supply chains. This highlights the critical nature of ensuring appropriate security protections are applied across the whole supply chain, particularly in key sectors such as government. Unless the full supply chain is held to the same security standards, it may present a weakness which could undermine the rest of the system. This may occur even if the eventual system is highly secure.

Another potential risk is the time pressure which this system will likely be developed under. As this is a political move and one which other parties have detracted against, it is likely that the government will want the system to be running before the end of its term. Because of this, this may lead to shortcuts being taken in the development process due to the political aspect of this scheme. As such, this may lead to a compromise in security which could include a lack of appropriate testing which could leave vulnerabilities within the system. Alternatively, the adequate time to consult appropriate security stakeholders may not be taken to understand the risks of such a scheme. Due to the public nature of such an announcement, threat actors will likely be highly aware of the scheme. As such, attackers could specifically target the infrastructure to discover its vulnerabilities or seek to use an insider to enable post-build compromise.

Another potential implication of this is the lack of education around how such a service may work. Fraud threat actors often use systems which appear complicated to exploit vulnerable individuals. Similar targeting of other modernisations has been observed, with examples including online banking. In this case, one of the key vulnerable groups was the elderly population of the UK. Vulnerable individuals may not fully understand how such an ID card system may work, allowing fraudsters to potentially steal information and gain access into sensitive services.

Conclusion

Whilst the full scope of the digital ID card system is unknown, it is clear that a significant amount of care needs to be considered with the security ramifications of such a change. It is yet to be seen whether the government’s speed or ambition may undermine the proposed scheme but nevertheless threat actors will highly likely explore how such a system could be exploited.

Due to recent incidents involving UK-based organisations, including an attack against a nursery and ransomware being used to target European airports, the topic of cybersecurity is prominent in the public sphere. These previous incidents highlight a range of attack vectors and motivations by the threat actors involved. As such, security experts will likely push for rigorous controls for any digital ID system which is introduced. Moreover, it is also likely that given the various cyberattacks which have recently occurred in the UK, the public will be aware of the potential data risks which arise from introducing such an ID scheme.

‍