- Network disruption affected 14,000 emergency calls in June 2023 and lasted 10.5 hours
- Law requires networks to take appropriate steps to prepare for potential outages
- Ofcom finds that BT was not properly prepared to handle the incident
Ofcom has today fined BT £17.5 million for being ill-prepared to respond to a catastrophic failure of its emergency call handling service last summer.
BT connects 999 and 112 calls in the UK and provides relay services for deaf and speech-impaired people.
On Sunday 25 June 2023, BT experienced a network fault that affected its ability to connect calls to emergency services between 06:24 and 16:56. During the incident, nearly 14,000 call attempts – from 12,392 different callers – were unsuccessful.
BT notified Ofcom of this issue, as required by law, and on 28 June 2023 Ofcom opened an investigation to establish whether the company had failed to comply with its legal duties to take appropriate and proportionate measures to prepare for potential disruption to its network.[1]
How the incident unfolded
There were three key stages to this incident:
Phase 1, from 06:24 to 07:33 – During the first hour, BT’s emergency call handling system was disrupted by what was later found to be a configuration error in a file on its server. This resulted in call handling agents’ systems restarting as soon as a call was received; agents being logged out of the system; calls being disconnected or dropped upon transfer to the emergency authorities; and calls being put back in the queue. BT was initially unable to determine the cause of the issue and attempted to switch to its disaster recovery platform.
Phase 2, from 07:33 to 08:50 – The first attempt to switch to the disaster recovery platform was unsuccessful due to human error. This was a result of instructions being poorly documented, and the team being unfamiliar with the process. The incident grew from affecting some calls to a total outage of the system.
Phase 3, from 08:50 to 16:56 – The rate of unsuccessful calls decreased once traffic was migrated successfully to the disaster recovery platform. However, usual service was not fully restored initially as the disaster recovery platform struggled with demand.
BT’s inadequate preparedness
We found that BT did not have sufficient warning systems in place for when this kind of incident occurs, nor did it have adequate procedures for promptly assessing the severity, impact and likely cause of any such incident or for identifying mitigating actions. We also found that BT’s disaster recovery platform had insufficient capacity and functionality to deal with a level of demand that might reasonably be expected.
The incident also caused disruption to text relay calls, which meant people with hearing and speech difficulties were unable to make any calls, including to friends, family, businesses and services. This left deaf and speech-impaired users at increased risk of harm.
Financial penalty
BT is a large, well-resourced and experienced communications provider. Although there have been no confirmed reports by the emergency authorities of serious harm to members of the public as a result of the incident, the potential degree of harm was extremely significant. As a result of BT’s failures, Ofcom has decided to fine the company £17,500,000.[2]
Being able to contact the emergency services can mean the difference between life and death, so in the event of any disruption to their networks, providers must be ready to respond quickly and effectively.
In this case, BT fell woefully short of its responsibilities and was ill-prepared to deal with such a large-scale outage, putting its customers at unacceptable risk.
Today’s fine sends a broader warning to all firms -– if you’re not properly prepared to deal with disruption to your networks, we’ll hold you to strict account on behalf of consumers.
- Suzanne Cater, Ofcom’s Director of Enforcement
In considering the level of financial penalty, we took into account factors such as the seriousness, duration and degree of harm. We also considered steps BT has taken to remedy these issues, including fixing the error that caused the disruption; making improvements to fault monitoring; improving the disaster recovery platform; and documenting a clear process for switching to it. And we recognised that BT self-reported the incident, in line with its obligations, and provided regular updates. BT has also cooperated fully with our investigation and has provided Ofcom with information in a timely manner when requested.
Notes to editors
[1] Section 105A(1) of the Communications Act 2003, as amended by the Telecommunications (Security) Act 2021 – which came into force in October 2022 – and Regulation 9 of the Electronic Communications (Security Measures) Regulations 2022 require providers of public electronic communications networks and services to take such measures as are appropriate and proportionate, among others, to prepare for the occurrence of security compromises. Section 105A(2) of the Communications Act 2003 defines a security compromise as including anything that compromises the availability, performance or functionality of the network or service.
[2] BT must pay the fine within two months of this decision, and it will then be passed on to HM Treasury. It includes a 30% reduction as a result of BT’s admission of liability and agreement to settle the case.