How hacker exposed BT lapse in safety

Steve Boggan reports on breach of national security
Click to follow
The Independent Online
It was one of the most serious breaches of national security. An Independent investigation revealed that hundreds of British Telecom employees and unvetted temporary workers were able to gain access to telephone numbers and addresses of secret military, government and security installations.

We revealed that locations of nuclear bunkers, MI5 and MI6 buildings, the homes of military officials - even John Major's private telephone number at Downing Street - had been obtained by a temporary BT worker.

The man, who was recruited on a short contract to do clerical and computing work, was given a BT password, normally used by a permanent member of staff. This enabled him to gain access to the company's customer database, and extract classified information at will. He discovered that hundreds of other BT staff could regularly access sensitive information in BT's Customer Services System.

The system, one of the country's largest databases, holds records of addresses and telephone numbers of 20 million homes and offices. Ex-directory numbers and sensitive military and security numbers that do not officially exist are on CSS. Each subscriber's listing contains details of the equipment installed - information which, in the case of government offices and secret installations, could be of value to terrorists and foreign powers.

Our investigations revealed that the CSS was wide open to abuse. Worse, reporters, supported by computer experts, discovered that some of BT's classified information had been extracted and placed on the Internet, the international computer network used by 35 million people. The world could view some of Britain's most closely-guarded secrets.

The revelations last November sparked furious rows in the House of Commons.

After consulting BT officials, Mr Major assured MPs that the company was "satisfied there was no hacking of the system nor any evidence that confidential information referred to in the [Independent] article has ever been on the Internet".

The newspaper was later able to find sensitive telephone numbers and addresses at a location on the Internet.

Our inquiries established that temporary staff supplied to BT by the Manpower employment agency were regularly given the passwords of permanent employees to the CSS.

Embarrassed by the revelations, BT launched a high- level internal inquiry into "an apparent breach of security". The Data Protection Registrar also began inquiries. But BT officials publicly sought to rubbish the Independent's articles, insisting the CSS computer was "secure and completely robust".

Among the downloaded information seen by the Independent were the locations of radar command posts, Nato fuel depots, tactical air control centres and missile sites, private numbers for members of the Royal Family, secret Bank of England numbers and MI6's training centre. BT denied claims that the CSS had been "hacked", but it could not explain why temps had access across all the system.

Our revelations caused reverberations through Whitehall. MI5, the Security Service and and its sister Secret Intelligence Service, MI6, were angered by what they saw as serious security lapses in BT's computer network.

BT's problem was that the system, once accessed, was wide open, with staff able to "surf" across the entire network. There were no barriers built into CSS to prevent sensitive numbers and addresses being viewed. Whitehall ordered BT to tighten security.