BT customer data 'exposed'claims ICO

News by Tim Ring

BT is being investigated by the UK's privacy watchdog, the Information Commissioner's Office (ICO), over claims that the user names and passwords of millions of its email customers were exposed to hacking.

The ICO launched its inquiry on 13 March based on claims by an unnamed ‘whistleblower' that the credentials of around seven million BT Mail customers “were being compromised by spammers/scammers on a daily basis and that BT was aware of this”, according a BBC report.

The claimed vulnerability came when BT was moving its email customers across from a Yahoo-powered system to one run by Critical Path (now part of Openwave Messaging). The whistleblower is believed to be a former employee of Critical Path.

BT has released a statement admitting there was an issue – without detailing its exact scope – but saying the problem was fixed during testing. It also told the BBC that the unauthorised access problem related to BT Yahoo email accounts. But according to The Register, the whistleblower said user credentials were exposed in clear text during the migration to the Critical Path system.

BT declined to comment on specific claims, but said in a statement to journalists: “BT has been made aware by the ICO that they are conducting an unverified assessment in relation to BT Mail security, a service which is provided by Openwave (formerly Critical Path). BT takes the security of all products very seriously and, in the process of developing new services with partners, we rigorously audit and test for security, and fix any identified issues before going into live service. We believe this unverified assessment of BT Mail relates to an issue identified and fixed as part of our normal testing and development process.”

The ICO is investigating the claims but the possibility that BT/Critical Path left user credentials accessible has drawn industry criticism.

Amar Singh, chair of the Security Advisory Group of industry body ISACA UK, told “The worry, if the reports are accurate, is the fact that the user details, including the passwords, were being transmitted and stored in clear text! To me, in today's day and age, that is simply irresponsible and reckless practice. Certain controls, like encrypting data in transit and at rest, must be configured as de facto, a basic requirement, and the fact that the organisation appears to have ignored them makes no sense.”

An ICO spokesperson told “On 13 March we wrote to BT with several questions. Our enquiries into this matter are still ongoing and no conclusions have yet been reached.”

While the extent of the problem remains unclear, Amar Singh has advised BT Mail customers to play it safe and “change your password immediately - and remember to use a good password manager”.

He added: “Organisations - risk assess any initiative that involves personal information and always, always use proper and strong encryption for data at rest and for data in-transit.”

BT announced its choice of Critical Path as its consumer email provider in June 2013, providing email, calendar and contacts within the BT portal – as well email anti-virus/anti-spam security services - across desktop, client, webmail and mobile devices.

Critical Path was acquired by Openwave in December 2013.


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews

Interview - Everyone has an Achilles heel: The new security paradigm

How can we defend networks now that the perimeter has all but disappeared?
Brought to you in partnership with ExtraHop