British Telecom is being investigated by the UK's privacy watchdog, the Information Commissioner's Office (ICO), over claims that the user names and passwords of millions of its email customers were exposed to hacking.
The ICO launched an inquiry on 13 March based on claims by an unnamed ‘whistleblower' that the credentials of around seven million BT Mail customers “were being compromised by spammers/scammers on a daily basis and that BT was aware of this”, according a BBC report.
The alleged vulnerability arose when BT was moving its email customers across from a Yahoo-powered system to one run by Critical Path (now part of Openwave Messaging). The whistleblower is believed to be a former employee of Critical Path.
BT has released a statement admitting there was an issue – without detailing its exact scope – but claims the problem was fixed during testing.
The telco told the BBC that unauthorised access was limited to the BT Yahoo email accounts of customers. But according to The Register the whistleblower claims user credentials were exposed in clear text during the migration to the Critical Path system, meaning the vulnerability could be much further reaching.
BT has released a statement acknowledging the investigation.
“BT has been made aware by the ICO that they are conducting an unverified assessment in relation to BT Mail security, a service which is provided by Openwave (formerly Critical Path).
"BT takes the security of all products very seriously and, in the process of developing new services with partners, we rigorously audit and test for security, and fix any identified issues before going into live service. We believe this unverified assessment of BT Mail relates to an issue identified and fixed as part of our normal testing and development process,” it said.
An ICO spokesperson said "enquiries into this matter are still ongoing and no conclusions have yet been reached".
The incident has drawn industry criticism.
Amar Singh, chair of the Security Advisory Group of industry body ISACA UK, said claims around a lapse in password protection worried him most.
“The worry, if the reports are accurate, is the fact that the user details, including the passwords, were being transmitted and stored in clear text! To me, in today's day and age, that is simply irresponsible and reckless practice.
"Certain controls, like encrypting data in transit and at rest, must be configured as de facto, a basic requirement, and the fact that the organisation appears to have ignored them makes no sense.”
While the extent of the problem remains unclear, Amar Singh has advised BT Mail customers to play it safe and “change your password immediately - and remember to use a good password manager”.
“Organisations - risk assess any initiative that involves personal information and always, always use proper and strong encryption for data at rest and for data in-transit,” he added.
BT announced the choice of Critical Path as its consumer email provider in June 2013, providing email, calendar and contacts within the BT portal – as well email anti-virus/anti-spam security services - across desktop, client, webmail and mobile devices.
Critical Path was acquired by Openwave in December 2013.