UK BT internet security breach BT's Talk21 websiteThursday, 28 September, 2000, 18:55 GMT 19:55 By BBC News Online's Iain Rodger http://news.bbc.co.uk/hi/english/business/newsid_946000/946717.stm A serious internet security breach has been discovered at BT's free e-mail service Talk21. The security failure came to light when John Heaton, who runs his own online business, found he was given full access to other people's e-mail accounts by accident. This is a shocking breach of security [John Heaton] He found he could change personal details and read or send messages from within those accounts. Mr Heaton stumbled upon the fault after he sent a marketing e-mail about his company, Hotelkeeper.net, to hoteliers around the country, which contained a hyperlink to his website. [Unauthorised access] Like many other internet businesses, Hotelkeeper.net uses freely available software to gather information about visitors to its website for marketing purposes. Extract from John Heaton's marketing e-mail All-important hyperlink The software package tells Mr Heaton where visitors go while browsing on his site and also the site they were looking at before they came to Hotelkeeper.net. It does not gather any personal information about the visitor. When hoteliers who received Mr Heaton's marketing e-mail clicked on the hyperlink to go to his site, this was registered by the software package as a visit. By clicking on the record of the visit, Mr Heaton would expect to see details of where they had come from and how they had travelled around his site. ['Astonished'] Instead, when he clicked on records from "a couple of dozen" visitors who had e-mail accounts at Talk21, he found he was taken straight into their accounts. I was angry that I received no response from BT over such an appalling security flaw [John Heaton] "I was utterly astonished", he said, and he immediately phoned a BT helpline to report the fault (1800 GMT on Wednesday). He said he was told to e-mail a 24-hour "priority address" at Talk21, which he did. When he had received no acknowledgement by Thursday morning, he e-mailed again at 0930 GMT and 1100 GMT. He also checked to see whether the fault had been cured and found it had not. Contacting BBC News Online, he said: "I was angry that I received no response from BT over such an appalling security flaw. "I stumbled across this breach - potentially affecting thousands of BT customers - in a perfectly legal and everyday manner. "Companies have to realise that the much-hyped development of the internet just won't happen if people are worried about security." [Beyond doubt] BBC News Online set up a Talk21 e-mail account to test the system again and asked Mr Heaton to send his marketing e-mail to the account. Within minutes, he was able to enter the account, delete test messages there and send new messages to third-parties from within the account. When BBC News Online contacted BT, spokesman John Salmon said they had no evidence of any security breach and were "looking into the allegations". It is interesting to note that Mr Heaton's website was accessed shortly afterwards by someone operating from the address "email@example.com". [Embarrassment] A year ago, unauthorised access was gained to personal accounts in Microsoft's free e-mail service, Hotmail. However, on that occasion the accounts were accessed by hackers saying they wanted to make a point about Microsoft's "bad" security. This new security breach - which entailed no hacking - is a great embarrassment to BT. Less than six months ago, there was a fault on its Openworld broadband website which resulted in unauthorised access to the personal details of people who had registered for the service. BT is also facing bitter criticism for allegedly holding up the development of high-speed internet access by clinging to the last vestiges of its old monopoly of the UK telecoms network.