BT is being investigated by the ICO over alleged email data leakage

BT is being investigated by the Information Commissioner’s Office (ICO) over claims that it has exposed user data, leading to spammers managing to get hold of email account details.

This apparently happened when BT shifted some of its subscribers from Yahoo services to a new system provided by a California-based company called Critical Path. And the alleged leakage was traced thanks to a whistleblower from Critical Path, who contacted the ICO regarding dodgy data practices at the end of last year.

He told the ICO that Critical Path had been “chaotic” in its implementation of the transfer of BT email accounts, and that the procedures followed had not played fair with UK data regulations.

The Register’s source on the matter said: “Critical Path was running a set-up during migration that exposed user credentials en masse as login proxies connected via load balancers to Yahoo, with only traffic between load balancers and Yahoo being encrypted and the rest circulating around the infrastructure in clear text.”

The ICO has been looking into the matter, and in an “exchange” seen by the Register, things don’t sound good for BT: “On the basis of the information [the whistleblower] provided, we consider it unlikely that BT has complied with the requirements of the DPA. This is because the evidence [the whistleblower] ... provided to us indicates that BT customer email accounts were being compromised by spammers/scammers on a daily basis and that BT was aware of this.”

The ICO also noted that BT continued to approve login for its users via HTTP (and not the more secure HTTPS), and this was obviously a major security weakness.

However, BT denied this, and told the BBC that: “BT Mail is HTTPS, not HTTP, and we would not use HTTP with live customers.”

BT did admit the ICO had contacted them to investigate this matter, but that it related to an issue which had been “identified and fixed.”

BT also said that the claims of spammers and scammers getting hold of email addresses were being confused with the issue of Yahoo users being spammed/scammed in general – and were nothing to do with BT’s security practices.

The ICO is apparently continuing its investigation into the matter, so we’ll keep our ears open to hear the latest developments on this one.