BT under investigation for ‘exposing user credentials’
ICO investigating data practices during email migration.
BT "exposed user credentials en masse" as it migrated customer emails from a Yahoo-powered system to its own infrastructure, it has been alleged.
According to reports, a whistleblower, believed to be a former employee of Critical Path, the company that built BT's new system, has claimed the method being used for the gradual moving of email accounts from one system to the other is unsecure.
The individual reportedly contacted the ICO, claiming the company was running a "chaotic" mail system for BT that may have contravened UK data protection legislation.
According to The Register, which claims to have seen the complaint documents, user IDs and passwords of BT customers were allegedly logged by Critical Path.
It is reported that the whistleblower claimed to have become concerned by "careless implementation of security safeguards affecting the privacy of BT internet mail users".
"Critical Path was running a set-up during migration that exposed user credentials en masse as login proxies connected via load balancers to Yahoo!, with only traffic between load balancers and Yahoo! Being encrypted and the rest circulating around the infrastructure in clear text," The Register's source claimed.
IT Pro contacted the ICO for confirmation of whether or not BT is under investigation.
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2024.
An ICO spokesperson said: "On 13 March 2014 we wrote to BT with a number of questions. Our enquiries into this matter are still ongoing and no conclusions have yet been reached."
BT told IT Pro: ""BT has been made aware by the ICO that they are conducting an unverified assessment in relation to BT Mail security, a service which is provided by Openwave (formerly Critical Path).
"BT takes the security of all products very seriously and, in the process of developing new services with partners, we rigorously audit and test for security, and fix any identified issues before going into live service. We believe this unverified assessment of BT Mail relates to an issue identified and fixed as part of our normal testing and development process."
- This article was updated to include BT's response to the allegations.
Jane McCallion is ITPro's Managing Editor, specializing in data centers and enterprise IT infrastructure. Before becoming Managing Editor, she held the role of Deputy Editor and, prior to that, Features Editor, managing a pool of freelance and internal writers, while continuing to specialize in enterprise IT infrastructure, and business strategy.
Prior to joining ITPro, Jane was a freelance business journalist writing as both Jane McCallion and Jane Bordenave for titles such as European CEO, World Finance, and Business Excellence Magazine.