The UK Information Commissioner Office (ICO) is investigating an email system used by British multinational telecommunications services BT for allegedly exposing ‘user credentials en masse’.
As part of the investigation, the UK data regulator is looking into the telecom company’s data practices during its process of shifting consumers’ email accounts from a Yahoo-based system to its customised set-up developed by Openwave Messaging.
The agency is mainly is mainly aiming to find out whether BT implemented insecure protocols for the messaging platform and stored data such that it exposed e-mail addresses and passwords.
BT told in a statement to the Register that the company takes the security of all products very seriously and, in the process of developing new services with partners, it rigorously audits and tests for security.
"We believe this unverified assessment of BT Mail relates to an issue identified and fixed as part of our normal testing and development process," the telecoms firm added.
The latest probe comes in the wake of disclosure by an unidentified whistle-blower, believed to be an ex- employee of Critical Path, the firm responsible for developing the new email system for the telecoms firm.
The ICO said in a statement that on the basis of the information [the whistleblower] provided, the agency considers it unlikely that BT has complied with the requirements of the [Data Protection Act].
"This is because the evidence [the whistleblower] … provided to us indicates that BT customer email accounts were being compromised by spammers/scammers on a daily basis and that BT was aware of this," ICO added.
In addition, BT allegedly allowed insecure logging-in via HTTP, rather than using the HTTPS encrypted protocol.
In response to ICO’s allegations, BT told the BBC that the assessment was a mistake.
"BT Mail is HTTPS, not HTTP, and we would not use HTTP with live customers," BT said.
"Yahoo has told us that they have identified unauthorised access to some BT Yahoo email accounts.
"We’re continuing to provide assistance and information to Yahoo to investigate the issue."