O2 apology for disclosing mobile phone numbers online

Smartphone running the mobile number test Tests suggest some, but not all, O2 mobile data users are affected

Related Stories

O2 has apologised for a technical problem which caused users' phone numbers to be disclosed when using its mobile data.

The company said it normally only passed numbers to "trusted partners".

A problem during routine maintenance meant that from 10 January numbers could have been seen by other websites.

"We investigated, identified and fixed it this afternoon. We would like to apologise for the concern we have caused," the company said.

The Information Commissioner's Office had said that it would speak to O2 "to better understand what has happened".

In a blog post the company said: "We are in contact with the Information Commissioner's office, and we will be co-operating fully."

The company also said it had contacted the telecoms regulator Ofcom.

Unintended consequences

Lewis Peckover, a system administrator for a mobile gaming company, flagged up the issue on Tuesday.

To demonstrate the flaw, he set up an online script which allows users to see if their number is revealed.

He said he was "absolutely shocked" by the discovery.

O2 said the problem was a temporary issue which arose during routine maintenance

"Technical changes we implemented as part of routine maintenance had the unintended effect of making it possible in certain circumstances for website owners to see the mobile numbers of those browsing their site," the company wrote.

Start Quote

The battle over the future of data is underway, and we are all being invited to take sides”

End Quote

However, the company added that it had previously disclosed this information, but only when "absolutely required by trusted partners".

"When you browse from an O2 mobile, we add the user's mobile number to this technical information, but only with certain trusted partners."

The company said this was needed to manage "age verification, premium content billing, such as for downloads, and O2's own services".

However the technical glitch meant the sharing went further it said: "In addition to the usual trusted partners, there has been the potential for disclosure of customers' mobile phone numbers to further website owners."

It said that the problem potentially "affected customers accessing the internet via their mobile phone on 3G or WAP services, but not wi-fi".

Trusted partners

O2 said that the limited sharing of numbers was "standard industry practice".

In a statement Everything Everywhere confirmed: "When Orange and T-Mobile customers use their mobile phones for general web browsing no customer information, such as mobile phone numbers, is shared with the website.

"As is the case with all mobile operators in the UK, Orange and T-Mobile customers can visit a small number of trusted partner websites where transactions can take place, such as purchasing ringtones. In order to complete the purchase or download customers pay via their Orange and T-Mobile accounts and hence mobile phone numbers have to be made available to these sites."

In a statement Vodafone said it pursued a similar policy adding that it only shared numbers with approved Vodafone UK partners who were "subject to security checks to ensure they conform to our stringent requirements around protecting our customers' privacy".

Questions

Mr Peckover had told the BBC he would be making a formal complaint to the Information Commissioner's Office about O2.

Start Quote

They could now know not just your phone number, but all the websites that you visit, and so target you”

End Quote Nick Halstead Tweetmeme

"I don't want sites to match up all my requests and potentially call me and talk to me about them," he said.

The Information Commissioner's Office said: "When people visit a website via their mobile phone they would not expect their number to be made available to that website.

"We will now speak to O2 to remind them of their data breach notification obligations, and to better understand what has happened, before we decide how to proceed."

One business owner who checked his servers' logs told the BBC that he had discovered that they contained hundreds of mobile phone numbers.

Nick Halstead, of Tweetmeme, said that he was concerned that advertisers could make use of the information.

"This would be very valuable to them. I think it's a matter of massive concern," he said.

"They could now know not just your phone number, but all the websites that you visit, and so target you."

Customer anger

News of the discovery spread rapidly on Twitter.

One Twitter user wrote: "I'm outraged this even happened. @O2 need to both fix this quick, AND explain why they decided to volunteer our numbers in the first place."

Another tweeted: "Woah - @O2 users' mobile numbers are being beamed to every website - and ad server - they access? That's... not good."

O2 said it "would like to apologise for the concern we have caused".

There is no evidence that other networks had experienced similar problems.

More on This Story

Related Stories

The BBC is not responsible for the content of external Internet sites

More Technology stories

RSS

Features & Analysis

BBC Future

(Thinkstock)

How a fish inspired a supercar

Sailfish secrets take to the road Read more...

Programmes

  • Man dancingClick Watch

    Searching for the DNA of dance music – the quest to find the perfect party anthem

BBC © 2014 The BBC is not responsible for the content of external sites. Read more.

This page is best viewed in an up-to-date web browser with style sheets (CSS) enabled. While you will be able to view the content of this page in your current browser, you will not be able to get the full visual experience. Please consider upgrading your browser software or enabling style sheets (CSS) if you are able to do so.