It appears that the flaw occurred when a visitor to the site of John Heaton, clicking a link on an e-mail from Mr Heaton, also had a Talk21 e-mail account open, giving Mr Heaton full control of the other user’s account. He reported the flaw to BT. The company is said to be looking into the issue.
Although the extent of this alleged security flaw is not yet known, it is a breach of the UK Data Protection Act to disclose personal information to third parties without permission and a breach of the obligation to keep personal information secure. It would be possible for any affected person to complain to the Data Protection Commissioner who could serve an notice on BT demanding information about its data protection practices. If this notice was not complied with, an enforcement notice could be issued.
In the event that damage or distress was caused to an individual and they suffered financial loss (for example, where an e-mail account was abused by a third party), it would be feasible for such an individual to claim compensation from BT through the courts.