An internal investigation at the Department for Work and Pensions (DWP) has found that civil servants are colluding with organised criminals to steal personal identities on "an industrial scale".
Ministers have been privately warned that the investigation will show that hundreds of thousands of stolen personal details have been ripped off from official databases, often with inside help. Key personal details such as national insurance numbers can be used to commit benefit fraud, set up false bank accounts and obtain official documents such as passports.
The ID theft from DWP and Revenue and Customs databases is currently the subject of an internal investigation, codenamed Trident, carried out in conjunction with the Government's official data-protection watchdog.
One government figure said: "We have been told that DWP staff have been colluding with organised criminals to commit identity theft on an industrial scale. It is far wider than just tax credits and reaches right across Whitehall."
A minister confirmed that the issue was causing panic in the office of John Hutton, the Secretary of State for Work and Pensions and a key ally of Tony Blair. "It's clear it's pretty serious," she said.
The Information Commissioner, Richard Thomas, told The Independent on Sunday that there are "widespread concerns" that poorly paid staff in tax and benefits offices are "open to temptation".
Ironically, the true scale of identity thefts from the DWP came to light only when its own civil servants were the victims of an audacious attack on the Government's tax credits. The personal details of 13,000 staff were passed to gangsters who used them to steal an estimated £15m in benefits.
Today, however, it can be revealed that the scam is just one of 25 incidents of "significant organised fraud" so far uncovered. The DWP refuses to comment, saying only that there is an "ongoing investigation".
Mr Hutton's nervousness could be explained by the fact that official statistics are now overdue on how much tax credit was paid through error or fraud in 2003-04. Ministers already admit that an initial sum of £430m will have to be revised sharply upwards.
Richard Bacon, the MP who exposed the foreign prisoner débâcle, has now written to the Government's spending watchdog asking him to investigate.
"It is clear that the security of individuals' personal details has been far more severely compromised than has been admitted thus far by ministers. I have written to Sir John Bourn, the Comptroller and Auditor General, asking him to investigate urgently this failure by the Government to protect our IDs from fraudsters."
One senior Whitehall figure said that civil servants were being unwittingly duped into giving away personal identities in most cases. Figures published last week show there were 100,000 offences under the Data Protection Act in the DWP and Revenue and Customs between 2000 and 2004. Neither department will release the figures for Trident, set up in 2004.
Mr Thomas, who this week called on the Government to stiffen penalties for releasing personal information from a fine to a two-year prison sentence, said: "There are widespread concerns that lowly paid staff can be open to temptation," he said. "They [officials] need to say to their staff this [illegal selling of data] is a very serious matter and from time to time they do say this. I've seen newsletters from Customs and DWP reminders to staff that this is a very serious matter. It is a disciplinary matter and you could be exposed to a fine. If they could say in future you could be exposed to a prison sentence that is really going to be a wake-up call."
Union officials say Revenue and Customs investigators believe they know from which DWP office at least some of the information has been stolen but have so far been unable to narrow the search further.
Staff appraisal records, containing names, dates of birth and NI numbers, were removed some time last year, investigators believe. The information was enough for an organised criminal gang to claim millions of pounds in tax credits by making thousands of fraudulent claims for the credits, a means-tested top-up for low- income families.
Charles Law of the Public and Commercial Services Union says it could hardly have been made easier for the fraudsters to use stolen NI numbers to make bogus applications for tax credits online. "People applying online for tax credits were supposed to receive a telephone call to confirm their ID but, of course, there were too few staff to make the calls and they didn't happen."
Mr Law told the IoS that the fraudsters who targeted JobCentre staff almost certainly had inside help. "Staff have access to the ID details of pretty much the whole country and so there is always going to be a risk."
The sheer scale of the potential abuse was underlined by a report by the Institute for Fiscal Studies which found that government departments hand out state support to 2.1 million lone parents - even though the best estimate is that Britain has just 1.9 million single-parent households.
Mike Brewer of the IFS has said that the 200,000 "phantom" lone parents shows just how successful the ID fraudsters have become.
STEP 1 Fraudsters are passed details of national insurance numbers by civil servants with access to the Revenue and Customs database.
STEP 2 The details are used to receive utility bills bearing the names and details of the IDs stolen from the database, which records every man and woman in the UK.
STEP 3 The criminals can use utility bills to open fake bank accounts, providing themselves with a crucial element for the new identity.
STEP 4 An internet search by the fraudsters helps them to apply for a replacement birth certificate.
STEP 5 The fraudsters apply for replacement passports, which can be sold togangmasters for people smuggling.