The ICO launched its inquiry on 13 March based on claims by an unnamed ‘whistleblower' that the credentials of around seven million BT Mail customers “were being compromised by spammers/scammers on a daily basis and that BT was aware of this”, according a BBC report.
The claimed vulnerability came when BT was moving its email customers across from a Yahoo-powered system to one run by Critical Path (now part of Openwave Messaging). The whistleblower is believed to be a former employee of Critical Path.
BT has released a statement admitting there was an issue – without detailing its exact scope – but saying the problem was fixed during testing. It also told the BBC that the unauthorised access problem related to BT Yahoo email accounts. But according to The Register, the whistleblower said user credentials were exposed in clear text during the migration to the Critical Path system.
BT declined to comment on specific claims, but said in a statement to journalists: “BT has been made aware by the ICO that they are conducting an unverified assessment in relation to BT Mail security, a service which is provided by Openwave (formerly Critical Path). BT takes the security of all products very seriously and, in the process of developing new services with partners, we rigorously audit and test for security, and fix any identified issues before going into live service. We believe this unverified assessment of BT Mail relates to an issue identified and fixed as part of our normal testing and development process.”
The ICO is investigating the claims but the possibility that BT/Critical Path left user credentials accessible has drawn industry criticism.
Amar Singh, chair of the Security Advisory Group of industry body ISACA UK, told SCMagazineUK.com: “The worry, if the reports are accurate, is the fact that the user details, including the passwords, were being transmitted and stored in clear text! To me, in today's day and age, that is simply irresponsible and reckless practice. Certain controls, like encrypting data in transit and at rest, must be configured as de facto, a basic requirement, and the fact that the organisation appears to have ignored them makes no sense.”
An ICO spokesperson told SCMagazineUK.com: “On 13 March we wrote to BT with several questions. Our enquiries into this matter are still ongoing and no conclusions have yet been reached.”
While the extent of the problem remains unclear, Amar Singh has advised BT Mail customers to play it safe and “change your password immediately - and remember to use a good password manager”.
He added: “Organisations - risk assess any initiative that involves personal information and always, always use proper and strong encryption for data at rest and for data in-transit.”
BT announced its choice of Critical Path as its consumer email provider in June 2013, providing email, calendar and contacts within the BT portal – as well email anti-virus/anti-spam security services - across desktop, client, webmail and mobile devices.
Critical Path was acquired by Openwave in December 2013.