O2 apology for disclosing mobile phone numbers online
- 8 March 2012
- From the section Technology
O2 has apologised for a technical problem which caused users' phone numbers to be disclosed when using its mobile data.
The company said it normally only passed numbers to "trusted partners".
A problem during routine maintenance meant that from 10 January numbers could have been seen by other websites.
"We investigated, identified and fixed it this afternoon. We would like to apologise for the concern we have caused," the company said.
The Information Commissioner's Office had said that it would speak to O2 "to better understand what has happened".
In a blog post the company said:"We are in contact with the Information Commissioner's office, and we will be co-operating fully."
The company also said it had contacted the telecoms regulator Ofcom.
Lewis Peckover, a system administrator for a mobile gaming company, flagged up the issue on Tuesday.
To demonstrate the flaw, he set upan online scriptwhich allows users to see if their number is revealed.
He said he was "absolutely shocked" by the discovery.
O2 said the problem was a temporary issue which arose during routine maintenance
"Technical changes we implemented as part of routine maintenance had the unintended effect of making it possible in certain circumstances for website owners to see the mobile numbers of those browsing their site," the company wrote.
However, the company added that it had previously disclosed this information, but only when "absolutely required by trusted partners".
"When you browse from an O2 mobile, we add the user's mobile number to this technical information, but only with certain trusted partners."
The company said this was needed to manage "age verification, premium content billing, such as for downloads, and O2's own services".
However the technical glitch meant the sharing went further it said: "In addition to the usual trusted partners, there has been the potential for disclosure of customers' mobile phone numbers to further website owners."
It said that the problem potentially "affected customers accessing the internet via their mobile phone on 3G or WAP services, but not wi-fi".
O2 said that the limited sharing of numbers was "standard industry practice".
In a statement Everything Everywhere confirmed: "When Orange and T-Mobile customers use their mobile phones for general web browsing no customer information, such as mobile phone numbers, is shared with the website.
"As is the case with all mobile operators in the UK, Orange and T-Mobile customers can visit a small number of trusted partner websites where transactions can take place, such as purchasing ringtones. In order to complete the purchase or download customers pay via their Orange and T-Mobile accounts and hence mobile phone numbers have to be made available to these sites."
In a statement Vodafone said it pursued a similar policy adding that it only shared numbers with approved Vodafone UK partners who were "subject to security checks to ensure they conform to our stringent requirements around protecting our customers' privacy".
Mr Peckover had told the BBC he would be making a formal complaint to the Information Commissioner's Office about O2.
"I don't want sites to match up all my requests and potentially call me and talk to me about them," he said.
The Information Commissioner's Office said: "When people visit a website via their mobile phone they would not expect their number to be made available to that website.
"We will now speak to O2 to remind them of their data breach notification obligations, and to better understand what has happened, before we decide how to proceed."
One business owner who checked his servers' logs told the BBC that he had discovered that they contained hundreds of mobile phone numbers.
Nick Halstead, of Tweetmeme, said that he was concerned that advertisers could make use of the information.
"This would be very valuable to them. I think it's a matter of massive concern," he said.
"They could now know not just your phone number, but all the websites that you visit, and so target you."
News of the discovery spread rapidly on Twitter.
One Twitter user wrote: "I'm outraged this even happened. @O2 need to both fix this quick, AND explain why they decided to volunteer our numbers in the first place."
Another tweeted: "Woah - @O2 users' mobile numbers are being beamed to every website - and ad server - they access? That's... not good."
O2 said it "would like to apologise for the concern we have caused".
There is no evidence that other networks had experienced similar problems.