BT investigated over email data BT is moving seven million customers to its new email service, away from a Yahoo system BT is being investigated by the UKs data authority after a whistleblower claimed the company exposed user credentials en masse. BT is currently moving its customers email accounts from a Yahoo-powered system to its own bespoke set-up. As revealed by The Register, the Information Commissioners Office (ICO) is looking into BTs data practices during this process. BT told the BBC the complaint relates to an issue identified and fixed. The whistleblower is believed to have been a former employee of Critical Path, the company tasked with building BTs new system for email. Critical Path was acquired last year by Openwave, a California-based messaging specialist. On behalf of BT, the company must gradually switch over seven million customers from Yahoo to BT. The whistleblower said the method Critical Path was using was insecure. A spokesman for BT said: BT takes the security of all products very seriously. And in the process of developing new services with partners, we rigorously audit and test for security, and fix any identified issues before going into live service. The BBC understands the vulnerabilities were discovered while the new email system was in its testing phase last year, and that the telecoms firm was confident no personal data had been compromised. Mistake Nevertheless, BT confirmed the ICO had contacted them, on Thursday, to begin enquiries following the whistleblowers remarks. In confidential documents obtained by The Register, and confirmed by the BBC to be genuine, the ICO said: On the basis of the information [the whistleblower] provided, we consider it unlikely that BT has complied with the requirements of the [Data Protection Act]. This is because the evidence [the whistleblower] ... provided to us indicates that BT customer email accounts were being compromised by spammers/scammers on a daily basis and that BT was aware of this. However, later in the same document, the ICO expressed concern that BT was allowing insecure logging-in using HTTP, rather than the encrypted protocol HTTPS. BT told the BBC this assessment was a mistake. BT Mail is HTTPS, not HTTP, and we would not use HTTP with live customers. The issue of spamming and scamming, BT said, was being confused with issues affecting Yahoo customers, and was not limited to BT. Yahoo has told us that they have identified unauthorised access to some BT Yahoo email accounts, the spokesman said. Were continuing to provide assistance and information to Yahoo to investigate the issue. An ICO spokesman said the document published by The Register was not intended for publication - and that the comments should be treated as preliminary, rather than the authoritys final conclusions on the matter. BBC
Posted on: Mon, 17 Mar 2014 13:27:57 +0000
Recently Viewed Topics
© 2015