Identity Verification Insider Threat 2026
Identity verification platform security exposed: a 2026 UK FOI case found staff with full PII database access and zero background vetting. What it costs.
Some links in this article may be affiliate links. PrimeBiometry earns a commission at no extra cost to you. This does not influence our editorial ratings or recommendations.
Evaluating identity verification vendors in 2026?
This article covers the security architecture gap. For ranked vendor picks with admin access controls compared, see the directory.
Most organizations investing in an identity verification platform spend considerable effort securing the customer-facing layer. Documents are scanned. Liveness is checked. Fraud signals are scored. The front door is locked and monitored.
The back door is often left wide open.
In May 2026, a Freedom of Information request to North Yorkshire Council exposed a gap that security architects see repeatedly in both public-sector and enterprise deployments: a system collecting citizens’ names, home addresses, phone numbers, and vehicle registrations, protected internally by nothing more than a username and password, with no background vetting applied to the staff who can access every record in the database.
This article deconstructs what went wrong, what the council actually got right, and how to avoid the same architecture mistake when building or buying an identity verification solution.
Key Takeaways
- A 2026 UK FOI response confirmed that staff with full PII database access face “no vetting or background checks” beyond standard HR screening (WhatDoTheyKnow, CN35454, May 2026)
- In 2025, Verizon found stolen credentials were involved in 22% of all breaches, with the human element driving roughly 60% of incidents (Verizon DBIR 2025)
- Biometric MFA and role-based access controls applied to admin systems eliminate credential sharing and create forensic-grade audit trails that password logs alone can’t provide
The North Yorkshire Council Case: A Real-World Access Control Gap
On 18 May 2026, North Yorkshire Council published its response to FOI request CN35454, covering data protection practices for its Household Waste Recycling Centre registration scheme. Citizens using the scheme provide their name, home address, email or phone number, and vehicle registration. That data sits in a central database.
The council’s response to the staff vetting question reads verbatim: “No vetting or background checks are undertaken, other than those normally carried out as part of a recruitment exercise.”
Three categories of staff hold full access to every customer record: customer services, waste management business support, and waste contracts team officers. All access is controlled by a “unique personal login ID and password.” No MFA. No biometric step-up. No DBS Enhanced Disclosure or equivalent for roles touching a database of citizen home addresses and vehicle movement records.
Here’s the part of the response that’s worth closer attention: the council actually got one piece of this architecture exactly right. Site operatives at the recycling centres can’t see customer names or addresses at all. On their mobile devices, they input a vehicle registration and receive only vehicle type, make, colour, and a 28-day visit counter. Customer PII is never displayed to field staff.
That is textbook data minimization under UK GDPR Article 5(1)(c). The council applied the principle correctly to the external-facing, operationally necessary layer. The failure is upstream, at the administrative access layer, where the same principle wasn’t extended.
A Data Protection Impact Assessment (DPIA) was completed and a redacted copy was released alongside the FOI response. The DPIA addresses lawful basis, data fields, and retention periods. It doesn’t resolve the access control gap it documents, because completing a DPIA isn’t the same as implementing the controls it identifies as necessary.
This pattern isn’t unique to this council. It appears in enterprise KYC deployments, fintech onboarding platforms, and government citizen databases alike. The external-facing layer gets hardened. The internal access layer is treated as a lower-priority problem, until it isn’t.
Compare identity verification software platforms by their internal access control architecture, not just their customer-facing verification features.
Why “Login and Password” Is a 2026 Security Liability
In 2025, Verizon’s Data Breach Investigations Report found that stolen or misused credentials were involved in 22% of all analysed breaches, and the broader human element — social engineering, errors, and misuse — was present in roughly 60% of incidents (Verizon, 2025 Data Breach Investigations Report). Credential-based access is the single most exploited entry point in modern breach data, year after year.
A unique personal login ID doesn’t prove identity. It proves that someone who knows the password is currently logged in. In operational teams handling high-volume, low-complexity data access tasks, credential sharing is routine. A 2024 Bitwarden survey of 2,400 workers across six countries found that over 54% of people globally rely on memory to manage passwords and reuse credentials at work (Bitwarden, World Password Day Survey 2024, via BusinessWire).
When a data incident occurs under a password-only access regime, the audit trail shows who was logged in. It doesn’t show who was physically at the keyboard. That distinction matters enormously in any ICO investigation or regulatory enforcement action.
Static passwords are phishable, shoulder-surfed, and stored insecurely. They don’t expire automatically when a team member leaves. They accumulate as shared credentials passed between contractors, temporary cover staff, and colleagues during high-pressure periods.
Gartner added a forward-looking dimension in February 2024: by 2026, 30% of enterprises will consider identity verification and authentication solutions unreliable in isolation due to AI-generated deepfakes (Gartner, press release, February 2024). The same spoofing risk that makes customer-facing liveness detection essential now applies to internal admin authentication. If a deepfake can fool a KYC check, it can fool a login prompt.
Explore biometric authentication software options built for both customer-facing and internal admin authentication use cases.
Calculating the True Cost of a KYC Compliance Failure
In 2025, IBM’s Cost of a Data Breach Report put the average global cost of a single breach at USD 4.44 million (IBM, Cost of a Data Breach Report 2025). That figure covers detection, escalation, notification, post-breach response, and lost business. It excludes regulatory fines, which are calculated separately under UK GDPR.
Under UK GDPR, the ICO can impose penalties of up to £17.5 million or 4% of global annual turnover, whichever is higher. In October 2025, the ICO fined Capita plc £14 million following a breach that compromised data for 6.6 million individuals. The ICO’s decision cited inadequate administrator access controls and insufficient security operations as primary Article 32 violations. The originally proposed penalty was £45 million; voluntary cooperation and remediation reduced it (Clifford Chance, ICO v Capita analysis, October 2025).
Most compliance buyers focus their cost analysis on per-verification KYC pricing, transaction fees, and vendor subscription costs. They miss the asymmetric risk on the other side of the ledger: a single enforcement action or data incident can exceed a decade of platform fees.
The correct comparison when evaluating an identity verification platform isn’t cost-per-verification in isolation. It’s cost-per-verification plus the total remediation exposure of the access architecture you build around it.
| Scenario | Estimated Cost |
|---|---|
| Average global data breach (IBM 2025) | USD 4.44 million |
| ICO fine, Capita plc (October 2025) | £14 million |
| Proposed ICO fine before negotiation | £45 million |
| Per-verification cost, mid-market KYC platform | £0.50–£2.00 |
For a full breakdown of vendor pricing structures, see our KYC software pricing guide.
In October 2025, the ICO fined Capita plc £14 million for a breach affecting 6.6 million individuals, explicitly citing inadequate administrator access controls as a primary Article 32 violation under UK GDPR. The enforcement decision establishes that access control failures are not technical recommendations: they’re compliance obligations with seven-figure consequences when they fail (Clifford Chance, October 2025).
The Biometric Solution: Eliminating Credential Sharing for Admin Systems
The same technology that enterprise identity verification platforms use to authenticate customers at onboarding can be deployed internally to authenticate the staff operating those platforms. This isn’t a theoretical extension: Sumsub, Veriff, and ComplyCube all use layered authentication in their internal access workflows. The question is whether your deployment architecture extends that protection to your own admin users.
Passwordless MFA built on FIDO2 passkeys eliminates the credential-sharing problem structurally. A FIDO2 passkey is device-bound and optionally protected by a biometric step-up: face recognition or fingerprint. It can’t be typed into a shared login form. It can’t be emailed to a colleague covering a shift. The access event is cryptographically tied to the registered device and the biometric match, not just a password that could have been entered by anyone.
There’s an underused architecture pattern here that most deployments miss. The liveness detection engine that verifies a customer presenting a document is genuinely present can be repurposed as a step-up authentication mechanism for admin users accessing sensitive records. A support agent opening a full customer file triggers a liveness check. The session logs not just who was logged in, but who was physically present and verified at the moment of access. That creates a forensic-grade audit trail satisfying Article 32 requirements in a way that access logs alone never fully can.
Role-based access control is the structural layer beneath biometric authentication. It answers the prior question: who should have access to this data at all? In the North Yorkshire Council architecture, a customer services agent handling an online registration query doesn’t need visibility into every vehicle visit record for every address in the database. RBAC limits the blast radius of any single compromised account, whether through credential theft, social engineering, or insider misuse.
Why Liveness Detection Is Non-Negotiable for Staff Authentication
Liveness detection prevents spoofing of the biometric factor itself. A photograph, a recorded video, or a 3D mask can defeat basic facial recognition. iBeta Level 2 certified liveness detection resists all three attack classes, and it’s the benchmark to ask vendors about specifically.
When selecting a platform whose authentication layer your staff will pass through, confirm the vendor’s internal iBeta certification level. A vendor running Level 1 internally while marketing Level 2 to customers is applying its own product inconsistently. That inconsistency is a useful signal about their security posture more broadly.
Compare biometric authentication software vendors by iBeta certification level, FIDO2 support, and internal admin deployment options.
5-Point Checklist: Evaluating an Identity Verification Vendor’s Own Security Architecture
Before signing a contract with any KYC compliance software vendor, audit their internal access architecture with these five questions. What they’ve built for themselves is the best available signal for what they’ll build for you.
1. How do your support staff authenticate to customer record systems?
Accept: FIDO2 passkey with biometric step-up, or hardware token MFA. Reject: username and password only, even with OTP SMS as a second factor. SMS OTP is SIM-swappable and doesn’t prevent credential sharing.
2. Do you provide immutable, tamper-evident audit logs of admin access?
You need to see who accessed which customer record and when, with a log that the accessing user can’t edit or delete. This is your primary evidence in a regulatory investigation. If a vendor can’t produce a demo of their audit log within 60 seconds, they probably don’t have one worth relying on.
3. Can you configure field-level data masking per role?
A support agent resolving a verification case shouldn’t need to see a customer’s full address, document number, or date of birth. If the vendor’s RBAC applies only at the case level and not the field level, your data exposure is broader than it needs to be and broader than UK GDPR Article 25’s data minimization by design principle allows.
4. What vetting applies to your own staff who handle customer data?
DBS Enhanced Disclosure or an equivalent (BS 7858 is common in security and financial services) for roles with database access is a reasonable minimum standard. “Standard HR checks” is not an adequate answer for a vendor handling sensitive PII at scale. Ask for their internal vetting policy in writing before signing.
5. Do you hold a current SOC 2 Type II certificate and ISO 27001?
“Working toward certification” or “in progress” means uncertified. Ask for the certificate directly, including its issue date, scope, and the audit period it covers. SOC 2 Type II is an audit of actual operational controls over time, not a point-in-time snapshot. A certificate issued two years ago that hasn’t been renewed tells you something.
In 2025, the average global data breach cost USD 4.44 million (IBM, Cost of a Data Breach Report 2025), and the ICO’s £14 million fine against Capita for access control failures sets a concrete benchmark for what inadequate internal controls cost when they contribute to a significant breach. Both figures should be part of your total cost of ownership calculation when evaluating vendors (IBM, 2025; Clifford Chance, 2025).
Technology Is Only as Secure as the People Operating It
North Yorkshire Council’s HWRC case isn’t an outlier. It’s a documented, publicly verifiable example of a gap that security and compliance teams encounter across sectors: a well-implemented customer-facing layer, a DPIA that identifies risks, and an admin access architecture that didn’t match the data sensitivity of what it was protecting.
The lesson isn’t that the council should have bought a more expensive platform. It’s that software alone doesn’t close the human element gap. That requires biometric staff authentication, background vetting proportionate to data sensitivity, and RBAC that enforces data minimization at the field level, not just the system boundary.
If you’re selecting an identity verification platform in 2026, run the five-question checklist above against every shortlisted vendor. Then apply the same audit to your own internal deployment architecture before go-live.
Compare identity verification vendors by admin security features
Our directory covers 60+ platforms with audit log capabilities, SOC 2 status, and RBAC configuration options noted per vendor.
Sources:
- WhatDoTheyKnow, FOI Request CN35454, North Yorkshire Council HWRC Registration Scheme, retrieved 2026-06-19, https://www.whatdotheyknow.com/request/freedom_of_information_request_d_1842
- Verizon, 2025 Data Breach Investigations Report, retrieved 2026-06-19, https://www.verizon.com/about/news/2025-data-breach-investigations-report
- IBM, Cost of a Data Breach Report 2025, retrieved 2026-06-19, https://www.ibm.com/reports/data-breach
- Clifford Chance, ICO fines Capita for UK GDPR infringements following March 2023 cyber breach, October 2025, retrieved 2026-06-19, https://www.cliffordchance.com/insights/resources/blogs/talking-tech/en/articles/2025/10/ico-fines-capita-for-uk-gdpr-infringements-following-march-2023-.html
- Gartner, Gartner Predicts 30% of Enterprises Will Consider Identity Verification and Authentication Solutions Unreliable in Isolation Due to Deepfakes by 2026, February 2024, retrieved 2026-06-19, https://www.gartner.com/en/newsroom/press-releases/2024-02-01-gartner-predicts-30-percent-of-enterprises-will-consider-identity-verification-and-authentication-solutions-unreliable-in-isolation-due-to-deepfakes-by-2026
- Bitwarden, World Password Day Survey 2024, via BusinessWire, April 2024, retrieved 2026-06-19, https://www.businesswire.com/news/home/20240424568925/en/Over-54-of-People-Globally-Rely-on-Memory-to-Manage-Passwords-and-Reuse-Credentials-at-Work