O2 has apologised after it was forced to fix a security flaw which disclosed customers’ mobile phone numbers to every site they visited.
The mobile operator has said that the flaw resulted from technical changes implemented as part of routine maintenance and that it has been in contact with the Information Commissioner’s Office (ICO) and Ofcom.
“We investigated, identified and fixed it this afternoon. We would like to apologise for the concern we have caused,” it added.
The network explained that certain technical information about a user’s device was sent every time they browsed a website in order to enable optimisation, but that it also passed on the phone number to certain “trusted partners”.
It added that this was “standard industry practice” as it allowed operators to manage access to adult content, and allowed third parties to bill users for premium content and to identify customers using O2 services such as My O2.
O2 said that customers who accessed websites on its 3G and WAP mobile internet services between 10 January and 1400 25 January also shared their numbers with sites which were not “trusted partners” but added that the numbers could not be linked to any other identifying information.
“It seems that other networks now protect users against sharing your mobile number in this way but they do share an awful lot of information about the make and model of the phone you are using among other things,” commented Stuart Coulson, director of data centres for security firm Secarma. “This information can be used legitimately to modify the site for different phones, for example, but it seems like an excessive amount of personal information to take only for this purpose.”
The leak was exposed yesterday when a Twitter user named ‘Lewispeckover’ created a website after he discovered his number was being sent to websites when he used his mobile. The flaw was then confirmed by a test carried out by Sophoe senior technology analyst Graham Cluley, who also suggested that it had been known about for as long as two years.
The news is unlikely to ease concerns held by many that mobile users are not taking security seriously. McAfee research found that 70 percent of users said that they considered their devices to be safe from cybercrime, despite 67 percent not having even the basic level of security on their phone.
Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…
Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…
Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…
Welcome to Silicon In Focus Podcast: Tech in 2025! Join Steven Webb, UK Chief Technology…
European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…
San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…
View Comments
Interesting that this has been 'known about for as long as two years'. O2's damage limitation yesterday on the evening news said that the flaw had only existed for about two weeks, i.e. since they were publicly caught out by the Twitter user. Were they lying or was the BBC misreporting them, or is the Sophos expert wrong?