BT caught in data gaffe drama: Whistleblower squeals over alleged email fail

Exclusive BT is being investigated by the UK's data regulator after a whistleblower exposed evidence that allegedly showed the one-time national telco's customer email accounts were being compromised by spammers, The Register has learned.

In May last year, BT unceremoniously ditched Yahoo! Mail in favour of a white label product from San Mateo, California-based Critical Path Inc.

At the time, Britain's largest ISP explained that it was "always looking for ways to improve and develop products and services", while Critical Path chimed in by adding that it was offering a "flexible and consistent experience across ... devices", and added that the deal included "email antivirus/anti-spam security services."

In December last year, an employee of Critical Path Inc – which was bought by Openwave Messaging in late 2013 – blew the whistle on the company by claiming to the UK's Information Commissioner's Office that a series of data gaffes had occurred that affected BT's customers.

According to confidential documents seen by The Register, the whistleblower warned the watchdog that Critical Path Inc was running what he described as a chaotic mail system for BT that, he claimed, may have flouted Britain's data rules.

Our source alleged:

Critical Path was running a set-up during migration that exposed user credentials en masse as login proxies connected via load balancers to Yahoo!, with only traffic between load balancers and Yahoo! being encrypted and the rest circulating around the infrastructure in clear text.

Among other things, it has been alleged that user IDs and passwords of BT subscribers were logged by the messaging provider. The whistleblower said he was concerned by what he claimed to be the "careless implementation of security safeguards affecting the privacy of BT internet mail users."

Meanwhile, the ICO has been investigating the allegations to determine whether a violation of the UK's data laws has taken place. It has also been mulling over BT's culpability in the case.

It recently concluded in an exchange seen by El Reg:

On the basis of the information [the whistleblower] provided, we consider it unlikely that BT has complied with the requirements of the DPA. This is because the evidence [the whistleblower] ... provided to us indicates that BT customer email accounts were being compromised by spammers/scammers on a daily basis and that BT was aware of this.

This is also because BT appears to have approved the continued insecure logging in for its users by ‘HTTP:’ (rather than only allowing logging in by ‘HTTPS:’) when penetration testing identified the ability to login by ‘HTTP:’ as a significant weakness in the messaging platform.

In our opinion, this deficiency places all BT customer email login details at risk of compromise by way of the transmission of the login and password information over the open internet.

This is also because it appears that BT's customers login and password details were being retained in log files, increasing the risk to this information being accessed without authorisation. It appears Openwave Messaging may not have adhered to an alleged contractual obligation to not retain unencrypted password information for BT’s customers. The DPA notably requires BT to ensure its data processors’ adherence to the contractual security obligations imposed on the data processors by BT.

We asked the ICO to confirm that it was working on this particular case. A spokesman said that the regulator's "enquiries into this matter are still ongoing" and added that BT had been informed of the probe.

The Reg was also curious to know what the watchdog's current guidelines were for companies processing data online where customers are required to log in via a web browser.

We were told that it was considered "best industry practice" to use crypto protocols Transport Layer Security (TLS) or Secure Socket Layer (SSL). Firms are also advised to "provide appropriate security against interception," the ICO spokesman added.

Websites, VPN gear and similar online services that ordinary punters use to buy goods, send emails and share pictures rely on the TLS/SSL encryption protocol to keep data beyond the reach of eavesdroppers.

But there is some wiggle room when is comes to implementing such systems, the ICO noted.

"There may be reasons why this is not possible or cannot be achieved. This is why we are contacting BT for an explanation," the spokesman explained.

As an aside, it's somewhat ironic that BT's previous provider, Yahoo!, was notoriously sluggish at flicking the always-on crypto switch, much to the dismay of security bods. The Purple Palace only got around to enabling HTTPS encryption by default for all its mail users in January this year.

US-based Openwave Messaging, meanwhile, rushed out a hastily put together statement overnight to the Reg that was yet to be approved by the company's CEO David Ratner. Naturally, we were asked to "disregard" it. But, in the spirit of public interest, here it is in full:

Openwave Messaging and British Telecom take operational security very seriously. As part of working with British Telecom to move them onto a more secure platform, and as a natural course of business, various forms of security and penetration testing took place prior to the production launch of the new system.

These tests identified a limited number of issues that were properly found and fixed as part of planned pre-production testing, and never put at risk British Telecom or their customers. Openwave Messaging is committed to developing secure systems and will continue to do so.

However, the approved version ended up looking like this:

Openwave Messaging (Critical Path) takes operational security very seriously. We will fully cooperate with any ICO assessment to ensure that consumers are reassured that their data is safe. Based on our investigations we have not found any evidence of data breach.

We believe any issues that have been raised with the ICO are likely to be ones that have already been identified and corrected during the normal course of our comprehensive security tests that we carry out before launch.

Meanwhile, BT provided The Reg with this statement:

BT has been made aware by the ICO that they are conducting an unverified assessment in relation to BT Mail security, a service which is provided by Openwave (formally Critical Path). BT takes the security of all products very seriously and in the process of developing new services with partners, we rigorously audit and test for security, and fix any identified issues before going into live service. We believe this unverified assessment of BT Mail relates to an issue identified and fixed as part of our normal testing and development process.

The ICO will make a decision about whether regulatory action should be taken against BT only after the telecoms giant has had a chance to explain its actions to the watchdog. ®