BT to be investigated over email data after whistleblower remarks By Dave Lee

Technology reporter, BBC News Published duration 14 March 2014

image copyright Other image caption BT is moving seven million customers to its new email service, away from a Yahoo system

BT is being investigated by the UK's data authority after a whistleblower claimed the company "exposed user credentials en masse".

BT is currently moving its customers' email accounts from a Yahoo-powered system to its own bespoke set-up.

As revealed by The Register , the Information Commissioner's Office (ICO) is looking into BT's data practices during this process.

BT told the BBC the complaint "relates to an issue identified and fixed".

The whistleblower is believed to have been a former employee of Critical Path, the company tasked with building BT's new system for email. Critical Path was acquired last year by Openwave, a California-based messaging specialist.

On behalf of BT, the company must gradually switch over seven million customers from Yahoo to BT. The whistleblower said the method Critical Path was using was insecure.

A spokesman for BT said: "BT takes the security of all products very seriously.

"And in the process of developing new services with partners, we rigorously audit and test for security, and fix any identified issues before going into live service."

The BBC understands the vulnerabilities were discovered while the new email system was in its testing phase last year, and that the telecoms firm was confident no personal data had been compromised.

Mistake

Nevertheless, BT confirmed the ICO had contacted them, on Thursday, to begin enquiries following the whistleblower's remarks.

In confidential documents obtained by The Register, and confirmed by the BBC to be genuine, the ICO said: "On the basis of the information [the whistleblower] provided, we consider it unlikely that BT has complied with the requirements of the [Data Protection Act].

"This is because the evidence [the whistleblower] ... provided to us indicates that BT customer email accounts were being compromised by spammers/scammers on a daily basis and that BT was aware of this."

However, later in the same document, the ICO expressed concern that BT was allowing insecure logging-in using HTTP, rather than the encrypted protocol HTTPS.

BT told the BBC this assessment was a mistake.

"BT Mail is HTTPS, not HTTP, and we would not use HTTP with live customers."

The issue of spamming and scamming, BT said, was being confused with issues affecting Yahoo customers, and was not limited to BT.

"Yahoo has told us that they have identified unauthorised access to some BT Yahoo email accounts," the spokesman said.

"We're continuing to provide assistance and information to Yahoo to investigate the issue."

An ICO spokesman said the document published by The Register was not intended for publication - and that the comments should be treated as "preliminary", rather than the authority's final conclusions on the matter.