Critical Path was running a set-up during migration that exposed user credentials en masse as login proxies connected via load balancers to Yahoo!, with only traffic between load balancers and Yahoo! being encrypted and the rest circulating around the infrastructure in clear text.
Among other things, it has been alleged that user IDs and passwords of BT subscribers were logged by the messaging provider. The whistleblower said he was concerned by what he claimed to be the "careless implementation of security safeguards affecting the privacy of BT internet mail users."
Meanwhile, the ICO has been investigating the allegations to determine whether a violation of the UK's data laws has taken place. It has also been mulling over BT's culpability in the case.