BT "exposed user credentials en masse" as it migrated customer emails from a Yahoo-powered system to its own infrastructure, it has been alleged.
According to reports, a whistleblower, believed to be a former employee of Critical Path, the company that built BT's new system, has claimed the method being used for the gradual moving of email accounts from one system to the other is unsecure.
The individual reportedly contacted the ICO, claiming the company was running a "chaotic" mail system for BT that may have contravened UK data protection legislation.
According to The Register, which claims to have seen the complaint documents, user IDs and passwords of BT customers were allegedly logged by Critical Path.
It is reported that the whistleblower claimed to have become concerned by "careless implementation of security safeguards affecting the privacy of BT internet mail users".
"Critical Path was running a set-up during migration that exposed user credentials en masse as login proxies connected via load balancers to Yahoo!, with only traffic between load balancers and Yahoo! Being encrypted and the rest circulating around the infrastructure in clear text," The Register's source claimed.
IT Pro contacted the ICO for confirmation of whether or not BT is under investigation.
An ICO spokesperson said: "On 13 March 2014 we wrote to BT with a number of questions. Our enquiries into this matter are still ongoing and no conclusions have yet been reached."
BT told IT Pro: ""BT has been made aware by the ICO that they are conducting an unverified assessment in relation to BT Mail security, a service which is provided by Openwave (formerly Critical Path).
"BT takes the security of all products very seriously and, in the process of developing new services with partners, we rigorously audit and test for security, and fix any identified issues before going into live service. We believe this unverified assessment of BT Mail relates to an issue identified and fixed as part of our normal testing and development process."
- This article was updated to include BT's response to the allegations.
-
AI recruitment tools are still a privacy nightmare – here's how the ICO plans to crack down on misuseNews The ICO has issued guidance for recruiters and AI developers after finding that many are mishandling data
-
“You must do better”: Information Commissioner John Edwards calls on firms to beef up support for data breach victimsNews Companies need to treat victims with swift, practical action, according to the ICO
-
Modern enterprise cybersecuritywhitepaper Cultivating resilience with reduced detection and response times
-
IDC InfoBrief: How CIOs can achieve the promised benefits of sustainabilitywhitepaper CIOs are facing two conflicting strategic imperatives
-
Where will AI take security, and are we ready?whitepaper Steer through the risks and capitalise on the benefits of AI in cyber security
-
Does your security strategy show continuous improvement?Sponsored Content It’s important to do a regular check-up on your security systems and look at how you can implement continuous improvement as part of your security strategy
-
Protecting your cloud from malicious actorsSPONSORED In today’s multi-cloud world, there are more attack surfaces than ever for hackers to target - here’s what you can do to protect your business
-
The threats targeting operational technology and how to beat themSPONSORED Attackers looking to exploit overlooked flaws in OT or infect networks laterally can only be stopped with comprehensive observability strategies
