Exclusive A woman who passed national security information to UK authorities spent six months in fear for her life, after Tiscali published her phone number and address in public directories, despite repeated requests to keep the information secret.

Tiscali now faces broad questions about the safety of its other ex-directory subscribers and over whether it can be trusted with sensitive data.

The woman now plans a High Court action against Tiscali for "reckless endangerment". She is pursuing tens thousands of pounds in compensation, amid allegations the broadband and phone provider compounded the danger by failing to act on urgent phone calls and two registered letters once she noticed the security breach.

The Information Commissioner's Office has stated it believes Tiscali failed to comply with the Data Protection Act.

Legal staff at Tiscali, now owned by Carphone Warehouse, also refused her requests for the firm to examine its records to ensure it has not compromised other customers' safety.

The woman has changed her identity more than once in the twenty years since she was linked to national security issues involving special forces, but she and contacts remain concerned her enemies could still seek revenge. She is not listed on the electoral roll and care has always been taken to ensure her contact details did not appear in any directory.

She signed up to Tiscali broadband in 2004 and in 2007 decided to also subscribe to its phone service via a fully unbundled line. The firm took over the line on September 6 2007, having been told several times by the woman that the her details must not be shared with anyone. Tiscali sales representatives assured her the information would remain secret.

Despite the guarantees, Tiscali provided BT with the woman's name address and phone number sometime before the end of November 2007, the deadline for inclusion in the next phone book. BT - which is not responsible for checking whether competitors' customers are ex-directory - duly published it in February 2008, online to the whole world, as well as in thousands of paper copies distributed locally.

The ex-activist didn't learn of the threat until June 2008, when she received an unsolicited phone call from someone trying to locate a former neighbour. Horrified at Tiscali's failure and in fear for her safety, she immediately called the firm to demand her details were removed, at least online.

Following weeks of frantic and fruitless battling for answers or action from the firm's overseas call centre, she turned to CISAS, an independent dispute resolution service for the communications industry. It told her to contact a Tiscali office in Stevenage.

This proved difficult, as the firm does not publish contact details for the office. Racked with worry about her own safety and the safety of others connected to the events she was involved with during the 1980s, in early July 2008 she sent a registered letter to the office urging Tiscali to act. A fraught month passed without a response, so she sent another copy of the registered letter at the end of July.

More weeks passed under the burden of knowing her home address was freely available to anyone with access to the web. The woman finally received a response in late August after contacting an email address provided by CISAS. It would take a month for head office to respond, Tiscali said.

After threats to send police to the Stevenage office, in mid-September head office rang. It told the woman - by now aware she had been exposed for four months - that it was not possible to remove her number from the BT database provided to directory companies because her line was fully unbundled.

"During our conversation today, you have educated me as to why you need to have an ex-directory line," a Tiscali staffer said via email.

"Unfortunately, due to the fact that your line is [metallic path facility], we were unable to provide this technology at the time of provisioning."

Tiscali said it could shut down her line and change the number, but she replied this would not help, because her home address was already in the wild.

Then at the end of the month, after more calls to the Stevenage office, Richard Lawrence, then-deputy leader of Tiscali's high level complaints team, rang. He was keen for the woman to give a figure for a cash settlement to compensate for the distress caused.

"How much do you want?" he shouted, according to documents seen by The Register. "10,000? 20,000? 50,000? How much? Give me a figure?"

The woman declined to give a figure, telling Lawrence she would only be happy if Tiscali agreed to check its records for any other ex-directory numbers it had wrongly published. The September email from head office had suggested to her that Tiscali had a technical problem that meant it could not list fully unbundled lines as ex-directory. He refused.

It wasn't until November that Tiscali acted to remove the woman's address from the telephone directory, six months after it had first been told of its grave error.

Before Christmas, David Sanjivi, Tiscali's lawyer wrote to offer £600 compensation, which was immediately rejected. In February the offer was raised to £2,000, which was again rejected.

"She kept insisting that her main concern was about the safety of others and wanted Tiscali to thoroughly check their customer base and if they find they have placed numbers that should have been withheld, into the public domain," a source with knowledge of the case said.

"She spelled it out for him; Tiscali could get people killed, beaten up etc."

Her calls for a security check were unheeded however. Throughout the battle the woman had made strenuous efforts to warn former colleagues and contacts that her own location had been published, but she wanted Tiscali to check it had not place abused partners or people in witness protection in a similar position.

By March this year her claim against Tiscali was for £20,000 damages plus £2,500 costs. The company, meanwhile, demanded to know the detailed background of her involvement in national security.

"Did they really believe, having shown themselves to be without the integrity to be trusted with sensitive and highly confidential information, that she would just hand it all over?," a source said.

Via Westminster contacts, the woman instead took her story to the Information Commissioner's Office. In June a case officer wrote: "It is my assessment that it is unlikely that Tiscali has complied with the Data Protection Act in this case."

Tiscali declined to comment on the individual case. "If a registered letter was not responded to then we apologise, this is certainly not typical," it said in a statement. "We take the security of our customer data very seriously and are compliant with all legal requirements for data protection." ®

Related stories

• Demon splurges details of 3,600 customers in billing email (23 September 2009)

  https://www.theregister.com/2009/09/23/demon_password_giveaway/

• Average UK broadband just over half advertised speed (28 July 2009)

  https://www.theregister.com/2009/07/28/ofcom_speeds/

• ContactPoint goes live despite security fears (17 May 2009)

  https://www.theregister.com/2009/05/17/contactpoint_follow_up/

• Carphone Warehouse buys Tiscali UK (8 May 2009)

  https://www.theregister.com/2009/05/08/carphone_tiscali/

• Tiscali titsup fears grow (16 April 2009)

  https://www.theregister.com/2009/04/16/tiscali_audit/

• US mercenary outfit shoots 11 Iraqis - and self in foot (18 September 2007)

  https://www.theregister.com/2007/09/18/blackwater_iraq_shooting/

• Prison for privacy crooks (12 May 2006)

  https://www.theregister.com/2006/05/12/ico_privacy_sentences/