O2 apologises as it plugs phone number leak

25 Jan 2012
mobile security

Mobile operator says flaw has now been fixed, but admits it shares phone numbers with partner sites

O2 has quickly fixed a flaw that leaked customer phone numbers to websites they visited - but admitted it still hands such data to some "trusted partners".

The flaw, uncovered by system administrator Lewis Peckover, meant websites could have potentially harvested phone numbers from visitors on O2's network, causing an uproar over privacy concerns.

The mobile operator said it normally passes phone numbers to "trusted partners", such as for billing reasons, but said such information was mistakenly passed to other sites since 10 January after "technical changes" following "routine maintenance".

We investigated, identified and fixed it this afternoon

"We have seen the report published this morning suggesting the potential for disclosure of customers’ mobile phone numbers to website owners," O2 said in a statement on its website.

"We investigated, identified and fixed it this afternoon," it added. "We would like to apologise for the concern we have caused."

However, O2 noted that it does share mobile numbers with some websites, for age verification, billing for premium content such as downloads or ringtones, and to identify O2 customers on its own sites.

"When you browse from an O2 mobile, we add the user's mobile number to this technical information, but only with certain trusted partners," O2 said. "This is standard industry practice."

However, Peckover noted: "Some questions still remain about which 'trusted partners' do get to see your phone number, but I'm not holding my breath for a response on that one."

We've asked for clarification on what sites O2 considers "trusted partners", but have yet to hear back from the firm.

O2 claimed the phone numbers could not be linked to other identifying information about customers, and confirmed the original report that the leak only occurred over 3G, not Wi-Fi.

The mobile operator has said it is working with the Information Commissioner's Office regarding the incident, and has also been in touch with Ofcom.

Read more

News