Security Concerns with BT's UK Email Service Trigger ICO Investigation - ISPreview UK
The United Kingdom’s Information Commissioner’s Office is investigating a potentially serious data security blunder with BT Mail, which is an Internet email service delivered by Openwave Messaging (formerly Critical Path), after a whistle-blower warned that the service “exposed user credentials en masse“.

Readers might recall that BT ditched their old Yahoo! based email / webmail platform, which had been suffering from a variety of security problems, in the middle of last year in favour of an alternative solution from Openwave Messaging / Critical Path (here).

So it’s perhaps not without some irony that the new service seems to have been hit by a security snag of its own, which The Register claims was brought to life by a leak from one of Openwave’s own employees. It’s also alleged that this same problem allowed the usernames and passwords of BT subscribers to be logged by the messaging provider.

Apparently Openwave’s service “was running a set-up during migration that exposed user credentials en masse as login proxies connected via load balancers to Yahoo!, with only traffic between load balancers and Yahoo! being encrypted and the rest circulating around the infrastructure in clear text“.

The report claims that the ICO has been investigating this and one of their leaked documents apparently states: “BT customer email accounts were being compromised by spammers/scammers on a daily basis and that BT was aware of this“. One of the alleged problem areas is that BT appears to have approved the “continued insecure logging in for its users by HTTP” rather than the more secure HTTPS channel.
A BT Spokesperson said:

BT has been made aware by the ICO that they are conducting an unverified assessment in relation to BT Mail security, a service which is provided by Openwave (formally Critical Path).

BT takes the security of all products very seriously and in the process of developing new services with partners, we rigorously audit and test for security, and fix any identified issues before going into live service.


We believe this unverified assessment of BT Mail relates to an issue identified and fixed as part of our normal testing and development process
.”
BT is currently being given a chance to explain their side of the story before the ICO rules on the case. Meanwhile Openwave stressed that “we have not found any evidence” of a data breach and have pledged to “fully cooperate with any ICO assessment“. So if there was a security flaw then it appears not to have been exploited by hackers and has since been fixed.