O2 data breach potentially shares your cellphone number with the world (Updated)

O2 data breach potentially shares your cellphone number with the world

There's an alarming rumor circulating that suggests that UK network O2 forwards your phone number to any website visited on a smartphone. Lewis Peckover built a site that displays the header data sent to sites you visit, finding a network-specific field called "x-up-calling-line-id" which displayed his number. Angry users who tested the site have flooded the company's official Twitter, which is currently responding with:

"Security is our top most priority, we're investigating this at the moment & will come back with more info as soon as we can."

The Next Web confirmed that Orange, T-Mobile and Vodafone numbers are unaffected by the issue, but GiffGaff and Tesco Mobile (both MVNOs that operate on the same network) do. TNW's sources say it's most likely an internal testing setup, while Mr. Peckover suggests it's because the network transparently proxies HTTP traffic, using the number as a UID.

Update: We received confirmation from O2, who said that it was "investigating with internal teams and it's our top priority." Slashgear and Think Broadband were unable to replicate the problem, but in our tests (pictured) it was sharing our data with the site.

Update 2: Consumer magazine Which? contacted UK privacy watchdog, the Information Commissioner's Office which offered the following:

"Keeping people's personal information secure is a fundamental principle that sits at the heart of the Data Protection Act and the Privacy and Electronic Communications Regulations. When people visit a website via their mobile phone they would not expect their number to be made available to that website.

We will now speak to O2 to remind them of their data breach notification obligations, and to better understand what has happened, before we decide how to proceed."

We'll let you draw your own conclusions from that one, but it's not shaping up to be a good day for the company (or its users).

Update 3: Our tests have stopped working now, as it looks like the network is hurriedly trying to close the hole, but we've had no official word that it's over just yet.

Update 4: O2 has issued a full statement and Q&A which we've embedded after the jump. Long story short, it's fixed the issue -- caused by accidental routine maintenance. 3G / WAP users will have shared your number with any site you visited since January 10th. The network has promised it will co-operate fully with the ICO and has reported itself to Ofcom.

Show full PR text

O2 mobile numbers and web browsing

Security is of the utmost importance to us and we take the protection of our customers' data extremely seriously.

We have seen the report published this morning suggesting the potential for disclosure of customers' mobile phone numbers to website owners.

We investigated, identified and fixed it this afternoon. We would like to apologise for the concern we have caused.

Below is a set of Q&As, to answer questions we've been receiving. If you have further questions, do leave them in the blog comments and we will do our best to answer as many as possible.

Q: What's happened with O2 mobile numbers when I browse the internet on my mobile?

A: Every time you browse a website (via mobile or desktop), certain technical information about the machine you are using, is passed to website owners. This happens across the internet, and enables website owners to optimise the site you see. When you browse from an O2 mobile, we add the user's mobile number to this technical information, but only with certain trusted partners. This is standard industry practice. We share mobile numbers with selected trusted partners for 3 reasons: 1) to manage age verification, which manages access to adult content, 2) to enable third party content partners to bill for premium content such as downloads or ring tones that the customer has purchased 3) to identify customers using O2 services, such as My O2 and Priority Moments. This only happens over 3G and WAP data services, not WiFi.

Q: How long has this been happening?

A: In between the 10th of January and 1400 Wednesday 25th of January, in addition to the usual trusted partners, there has been the potential for disclosure of customers' mobile phone numbers to further website owners.

Q: Has it been fixed?

A: Yes. It was fixed as of 1400 on Wednesday 25th January 2012.

Q: Which of my information can website owners access?

A: The only information websites had access to is your mobile number, which could not have been linked to any other identifying information we have about customers.

Q: Why did this happen?

A: Technical changes we implemented as part of routine maintenance had the unintended effect of making it possible in certain circumstances for website owners to see the mobile numbers of those browsing their site.

Q: Which customers were affected?

A: It affected customers accessing the internet via their mobile phone on 3G or WAP services, but not WIFI, between 10th of January and 1400 on Wednesday the 25th of January.

Q: Which websites do you normally share my mobile number with?

A: Only where absolutely required by trusted partners who work with us on age verification, premium content billing, such as for downloads, and O2's own services, have access to these mobile numbers.

Q: The Information Commissioner said he is investigating - what are you doing as part of this?

A: We are in contact with the Information Commissioner's office, and we will be co-operating fully. We have also contacted OFCOM.