» ISP News » 
Sponsored Links

UPD Security Concerns with BT’s UK Email Service Trigger ICO Investigation

Thursday, Mar 13th, 2014 (2:03 pm) - Score 1,512

The United Kingdom’s Information Commissioner’s Office is investigating a potentially serious data security blunder with BT Mail, which is an Internet email service delivered by Openwave Messaging (formerly Critical Path), after a whistle-blower warned that the service “exposed user credentials en masse“.

Readers might recall that BT ditched their old Yahoo! based email / webmail platform, which had been suffering from a variety of security problems, in the middle of last year in favour of an alternative solution from Openwave Messaging / Critical Path (here).

So it’s perhaps not without some irony that the new service seems to have been hit by a security snag of its own, which The Register claims was brought to life by a leak from one of Openwave’s own employees. It’s also alleged that this same problem allowed the usernames and passwords of BT subscribers to be logged by the messaging provider.

Apparently Openwave’s service “was running a set-up during migration that exposed user credentials en masse as login proxies connected via load balancers to Yahoo!, with only traffic between load balancers and Yahoo! being encrypted and the rest circulating around the infrastructure in clear text“.

The report claims that the ICO has been investigating this and one of their leaked documents apparently states: “BT customer email accounts were being compromised by spammers/scammers on a daily basis and that BT was aware of this“. One of the alleged problem areas is that BT is said to have approved the “continued insecure logging in for its users by HTTP” rather than the more secure HTTPS channel, although BT categorically told ISPreview.co.uk that BT Mail uses HTTPS and not HTTP and “it was never intended to be otherwise“.

Security people had categorically stated that BT Mail uses HTTPS and not HTTP

A BT Spokesperson said:

BT has been made aware by the ICO that they are conducting an unverified assessment in relation to BT Mail security, a service which is provided by Openwave (formally Critical Path).

BT takes the security of all products very seriously and in the process of developing new services with partners, we rigorously audit and test for security, and fix any identified issues before going into live service.

We believe this unverified assessment of BT Mail relates to an issue identified and fixed as part of our normal testing and development process.”

BT is currently being given a chance to explain their side of the story before the ICO rules on the case. Meanwhile Openwave stressed that “we have not found any evidence” of a data breach and have pledged to “fully cooperate with any ICO assessment“. So if there was a security flaw then it appears not to have been exploited by hackers and has since been fixed.

UPDATE 14th March

A BT spokesperson told us categorically that BT Mail uses HTTPS and not HTTP and “it was never intended to be otherwise“. The above article has added this context.

Share with Twitter
Share with Linkedin
Share with Facebook
Share with Reddit
Share with Pinterest
Tags: ,
By Mark Jackson
Mark is a professional technology writer, IT consultant and computer engineer from Dorset (England), he also founded ISPreview in 1999 and enjoys analysing the latest telecoms and broadband developments. Find me on X (Twitter), Mastodon, Facebook and .
Search ISP News
Search ISP Listings
Search ISP Reviews

Comments are closed

Cheap BIG ISPs for 100Mbps+
Community Fibre UK ISP Logo
Gift: None
NOW £25.00
Gift: None
Virgin Media UK ISP Logo
Virgin Media £26.00
Gift: None
Vodafone UK ISP Logo
Vodafone £26.50 - 27.00
Gift: None
Plusnet UK ISP Logo
Plusnet £27.99
Gift: None
Large Availability | View All
Cheapest ISPs for 100Mbps+
Gigaclear UK ISP Logo
Gigaclear £17.00
Gift: None
Community Fibre UK ISP Logo
Gift: None
BeFibre UK ISP Logo
BeFibre £19.00
Gift: None
YouFibre UK ISP Logo
YouFibre £22.99
Gift: None
Hey! Broadband UK ISP Logo
Gift: None
Large Availability | View All
The Top 15 Category Tags
  1. FTTP (5706)
  2. BT (3562)
  3. Politics (2595)
  4. Openreach (2340)
  5. Business (2316)
  6. Building Digital UK (2273)
  7. FTTC (2060)
  8. Mobile Broadband (2036)
  9. Statistics (1825)
  10. 4G (1722)
  11. Virgin Media (1671)
  12. Ofcom Regulation (1490)
  13. Fibre Optic (1422)
  14. Wireless Internet (1415)
  15. FTTH (1383)

Copyright © 1999 to Present - ISPreview.co.uk - All Rights Reserved - Terms , Privacy and Cookie Policy , Links , Website Rules , Contact