It appears that the flaw occurred when a visitor to the site of
John Heaton, clicking a link on an e-mail from Mr Heaton, also had
a Talk21 e-mail account open, giving Mr Heaton full control of the
other user’s account. He reported the flaw to BT. The company is
said to be looking into the issue.
Although the extent of this alleged security flaw is not yet
known, it is a breach of the UK Data Protection Act to disclose
personal information to third parties without permission and a
breach of the obligation to keep personal information secure. It
would be possible for any affected person to complain to the Data
Protection Commissioner who could serve an notice on BT demanding
information about its data protection practices. If this notice was
not complied with, an enforcement notice could be issued.
In the event that damage or distress was caused to an individual
and they suffered financial loss (for example, where an e-mail
account was abused by a third party), it would be feasible for such
an individual to claim compensation from BT through the courts.
