Investigation into BT following 999 emergency call service outage on 25 June 2023

Ofcom has issued a Confirmation Decision to British Telecommunications Plc (‘BT’) under section 96C of the Communications Act 2003 (the ‘Act’) in respect of this investigation.

The investigation followed a network fault that affected BT’s ability to connect calls to emergency services. We have found that BT has contravened section 105A(1)(c) of the Act and Regulation 9 of the Electronic Communications (Security Measures) Regulations 2022 by failing to take appropriate and proportionate measures for the purposes of preparing for the occurrence of ‘security compromises’[1] in its provision of Emergency Call Handling Services (ECHS). This is a contravention of some of the Security Duties[2] that apply to BT which are in place to protect the security and resilience of the UK’s public networks and services.

On Sunday 25 June 2023, BT experienced a technical issue which resulted in disruption to the ECHS for a duration of approximately 10.5 hours, affecting approximately 14,000 emergency calls. The service experienced a total outage of approximately one hour, during which time callers to the ECHS – that is, anyone trying to call 999/112 – were unable to connect to one of BT’s Call Handling Agents who transfer emergency calls to the required emergency authority.

Our investigation has found that BT did not adequately prepare for the occurrence of an outage of the ECHS. Specifically, we found BT did not take sufficient measures:

1. to ensure that it had clearly defined and tested means and procedures in place for identifying, assessing and addressing the occurrence of security compromises; and
2. to prepare for the occurrence of security compromises by having in place an appropriate backup system capable of adequately limiting the adverse effects of the security compromise and enabling BT to recover.

We consider BT’s contravention to be a very serious matter. Ofcom further considers that any failure which impacts the ability of citizens to contact emergency response organisations to be exceptionally serious, given the potentially critical consequences of people being unable to connect to these services when they need them.

As a result, we are imposing a financial penalty of £17.5 million on BT. This penalty was set having regard to our Penalty Guidelines and includes a 30% discount as a result of BT’s admission of liability and its completion of Ofcom’s settlement process.

The penalty reflects several factors, including our finding that the scale and impact of the specific incident was prolonged by factors within BT’s control, including the absence of adequate operational and incident management procedures, and the reduced capacity and functionality of BT’s Disaster Recovery platform. It also takes into account the action BT has taken to date to remedy the consequences of the contravention, and the measures introduced to prevent a similar occurrence, and to mitigate adverse effects in the event the ECHS is compromised in the future.

As part of this investigation, we also considered BT’s compliance with section 105C of the Act and General Conditions A3.2, C5.8, C5.9, C5.10, C5.11 and C5.12. At this time, we do not propose to pursue making a finding in relation to these provisions. As a matter of administrative priority, our investigation has prioritised the most serious concerns arising out of BT’s conduct, particularly in relation to the measures taken by BT to prepare for a security compromise. For this reason, we have focused on breaches of Section 105A of the Act and Regulation 9 of the Regulations.  

 A non-confidential version of the Confirmation Decision will be published shortly.

[1] Section 105A(2) of the Act broadly defines a security compromise, and (relevantly) includes “anything that compromises the availability, performance or functionality of the network or service”.

[2] Security Duties means the duties imposed on providers of public electronic communications networks and services by or under any of sections 105A to 105D, 105I to 105K, 105L(6), (7)(c) and (8), 105N(2)(a) and 105O of the Act, as amended by the Telecommunications (Security) Act 2021, which came into force in October 2022.

Ofcom has reason to believe that in addition to affecting access to emergency 999 voice call services, the incident on 25 June 2023 may have caused disruption to:

• text relay services (emergency and non-emergency);
• emergency video relay services; and
• mobile SMS access to emergency organisations.

These services are important and provide ways for disabled people to easily make telephone calls and contact the emergency services. As we are seeking to establish the facts surrounding the incident, we have widened the scope of our investigation to better understand the impact on these services, and additionally to consider BT’s compliance with General Conditions C5.8, C5.9, C5.10, C5.11 and C5.12.

Ofcom has today opened an own-initiative investigation into BT’s compliance with General Condition A3.2 (GC A3.2) and sections 105A and 105C of the Communications Act 2003. The investigation follows BT’s notification of a technical fault which resulted in a UK-wide disruption to emergency call services on 25 June 2023.

GC A3.2 requires certain communications providers to take all necessary measures to ensure the fullest possible availability of voice and internet services provided over public electronic communications networks in the event of catastrophic network breakdown or in cases of force majeure, and uninterrupted access to emergency organisations as part of any voice services offered.

Section 105A requires providers of public electronic communications networks and services (providers) to take such measures as are appropriate and proportionate to identify and reduce the risks of, and prepare for the occurrence of, security compromises, including, anything that compromises the availability, performance or functionality of the network or service.

Section 105C requires providers to take such measures as are appropriate and proportionate to prevent adverse effects arising from a security compromise that has occurred. Where a security compromise has an adverse effect on the network or service, the provider must take such measures as are appropriate and proportionate to remedy or mitigate that effect.

Ofcom’s investigation will seek to establish the facts surrounding the incident and examine whether there are reasonable grounds to believe that BT has failed to comply with its regulatory obligations.