O2 have fixed a problem that revealed the mobile phone number of customers to websites when they were browsing websites via their mobile phone.
For just over 2 weeks (Tuesday 10th January 2012 until Wednesday 25th January 2012) O2 were sharing customers mobile phone numbers with websites that they were visiting via their mobile phone, the information was being displayed as plain text in the header information that is sent from the phone to the website and potentially meaning that the phone numbers were then available for spamming through text messaging or telephone calls.
The issue was only found when Lewis Peckover, a web systems administrator ran a test to show that O2 were sharing users mobile phone numbers with websites.
O2 had not deliberately let this happen and stated that it was an “unintended effect” of some routine maintenance they had done on January 10th.
O2 also said:
“The only information websites had access to is your mobile number, which could not have been linked to any other identifying information we have about customers.”
O2 also explained what happens with mobile numbers when O2 mobile customers browse the internet.
“Every time you browse a website (via mobile or desktop), certain technical information about the machine you are using, is passed to website owners. This happens across the internet, and enables website owners to optimise the site you see. When you browse from an O2 mobile, we add the user’s mobile number to this technical information, but only with certain trusted partners. This is standard industry practice. We share mobile numbers with selected trusted partners for 3 reasons: 1) to manage age verification, which manages access to adult content, 2) to enable third party content partners to bill for premium content such as downloads or ring tones that the customer has purchased 3) to identify customers using O2 services, such as My O2 and Priority Moments. This only happens over 3G and WAP data services, not Wifi.”
The ICO (Information Commissioner’s Office) who deal with UK privacy are said to be looking in to it to see if the Data Protection Act has been breached. They did say the following:
“When people visit a website via their mobile phone, they would not expect their number to be made available to that website. We will now speak to O2 to remind them of their data breach notification obligations, and to better understand what has happened, before we decide how to proceed.”
O2 have put up a page trying to detail the issue for anyone who wants a bit more information. view here.