'

BT apologises for BTopenworld security breach

BTopenworld launch fiasco enrages ADSL applicants as their full personal details are exposed online

Telco giant BT (quote: BT) was told about its BTopenworld blunder as early as Wednesday but failed to remedy the situation until 24 hours later, according to a surfer who noticed the problem early on.

A ZDNet reader says that after informing BT about the security hole Wednesday, he was told by a representative of BT's technical team, that it was "a server issue for which we are not responsible." A BT spokesman says that a full investigation is currently being carried out into yesterday's breach and promises to take our reader's information into consideration.

A red-faced BT on Friday officially apologised by email to those 6900 individuals whose confidential details were exposed by the breach. The message vows to track down all those who might have gained unauthorised access and ensure that they delete it.

"We are writing to those people identified as having accessed this hidden area," writes General Manager of BTopenworld Robert Salvoni. "To get written confirmation that they have not copied, used or passed your details to any other person and will delete or destroy all copies of this information."

It is understood both The Times and ZDNet have been sent a missive requesting the information not be published or distributed.

Salvoni also promises to step up BT's security measures. "I can confirm that we are undertaking a full and thorough investigation to ensure that breaches of this nature do not happen again," he adds.

In this statement, however, there is no mention of compensation for the incident, something that has displeased a number of customers.

One BTopenworld customer who requested anonymity said, "Frankly I'm amazed that an organisation the size of BT could make such a cock-up so soon after the launch of its much fabled ADSL service. Not surprisingly there seems to be no indication of an explanation as to how or why this occurred. Blaming "human error" strikes me as a particularly feeble attempt at passing the buck. Perhaps BT could dip its hand into its swollen coffers and offer some sort of compensation for what is becoming a trend in its security provision. I shan't hold my breath..."

Yesterday's breach is a huge blunder, according to Kevin Black, a spokesman for Internet Security Systems, who is scathing -- "At any Web site where you are storing information of such an obviously sensitive nature, a correct process should be gone through to ensure adequate security."

Black adds that while this may have been a simple mistake, such a lapse could be seriously repercussions. "Just a simple configuration error can cause this sort of data to become openly available. This has obvious implications not just to the integrity of customer data, but also with potential for competitive advantage."

Guy Kewney contributed to this report

Should BT be forced to pay compensation and/or offer a clearer explanation for this blunder? Are you one of those whose personal details were revealed? Will you complain to Oftel/Data Protection Registrar? Tell the Mailroom.

Check out ZDNet's new Interactive Broadband Guide