ICO Looks Into BT E-Mail Data Breach Claims

The Information Commissioners’ Office has confirmed it is following up claims that BT exposed a number of its customers’ email accounts during the migration from Yahoo Mail to a white-label product from Critical Path, which has since been purchased by Openwave.

According to documents obtained by The Register, an anonymous whistleblower told the ICO that a large number of accounts had been compromised during the migration – it seems no login details were leaked, but the addresses were left on an open page where anyone could harvest them.

As a result, it appears from the documents  that BT customers’ email accounts were being spammed on a daily basis, that the company was most likely not meeting its requirements as part of the Data Protection Act, and was aware of this. It is unclear how many accounts might be affected by the alleged breach, but seven million users are being moved from the Yahoo-based platform to the new service.

BT data breach

The ICO has confirmed to TechWeekEurope that it has indeed contacted BT about the allegations: “On 13 March 2014 we wrote to BT with a number of questions. Our enquiries into this matter are still ongoing and no conclusions have yet been reached.”

BT also said it was aware of the regulator’s interest but stressed the alleged vulnerability had been discovered during testing and had been fixed.

“BT has been made aware by the ICO that they are conducting an unverified assessment in relation to BT Mail security, a service which is provided by Openwave (formerly Critical Path),” a BT spokesperson told TechWeekEurope. “BT takes the security of all products very seriously and, in the process of developing new services with partners, we rigorously audit and test for security, and fix any identified issues before going into live service.

“We believe this unverified assessment of BT Mail relates to an issue identified and fixed as part of our normal testing and development process.”

If the allegations are proved to be true, the ICO has the power to impose a significant fine on BT. Earlier this month, the British Pregnancy Advice Service (BPAS), a charity which helps women considering abortion, was fined £200,000 after a data breach revealed the names of 10,000 of its users to Anonymous hacker James Jeffery in March 2012.

Do you know the history of BT? Try our quiz!