O2 Apologises and Fixes Number Leak Security Flaw

O2 has apologised after it was forced to fix a security flaw which disclosed customers’ mobile phone numbers to every site they visited.

The mobile operator has said that the flaw resulted from technical changes implemented as part of routine maintenance and that it has been in contact with the Information Commissioner’s Office (ICO) and Ofcom.

Trusted Partners

“Security is of the utmost importance to us and we take the protection of our customers’ data extremely seriously,” said O2 in a blog post yesterday. “We have seen the report published this morning suggesting the potential for disclosure of customers’ mobile phone numbers to website owners.”

“We investigated, identified and fixed it this afternoon. We would like to apologise for the concern we have caused,” it added.

The network explained that certain technical information about a user’s device was sent every time they browsed a website in order to enable optimisation, but that it also passed on the phone number to certain “trusted partners”.

It added that this was “standard industry practice” as it allowed operators to manage access to adult content, and allowed third parties to bill users for premium content and to identify customers using O2 services such as My O2.

O2 said that customers who accessed websites on its 3G and WAP mobile internet services between 10 January and 1400 25 January also shared their numbers with sites which were not “trusted partners” but added that the numbers could not be linked to any other identifying information.

Twitter Alarm

“It seems that other networks now protect users against sharing your mobile number in this way but they do share an awful lot of information about the make and model of the phone you are using among other things,” commented Stuart Coulson, director of data centres for security firm Secarma. “This information can be used legitimately to modify the site for different phones, for example, but it seems like an excessive amount of personal information to take only for this purpose.”

The leak was exposed yesterday when a Twitter user named ‘Lewispeckover’ created a website after he discovered his number was being sent to websites when he used his mobile. The flaw was then confirmed by a test carried out by Sophoe senior technology analyst Graham Cluley, who also suggested that it had been known about for as long as two years.

The news is unlikely to ease concerns held by many that mobile users are not taking security seriously. McAfee research found that 70 percent of users said that they considered their devices to be safe from cybercrime, despite 67 percent not having even the basic level of security on their phone.

Steve McCaskill

Steve McCaskill is editor of TechWeekEurope and ChannelBiz. He joined as a reporter in 2011 and covers all areas of IT, with a particular interest in telecommunications, mobile and networking, along with sports technology.

View Comments

  • Interesting that this has been 'known about for as long as two years'. O2's damage limitation yesterday on the evening news said that the flaw had only existed for about two weeks, i.e. since they were publicly caught out by the Twitter user. Were they lying or was the BBC misreporting them, or is the Sophos expert wrong?

Recent Posts

Apple, Google Mobile Ecosystems Should Be Investigated, CMA Told

CMA receives 'provisional recommendation' from independent inquiry that Apple,Google mobile ecosystem needs investigation

4 hours ago

Australia Rejects Elon Musk Claim About Social Media Ban For Under-16s

Government minister flatly rejects Elon Musk's “unsurprising” allegation that Australian government seeks control of Internet…

7 hours ago

Northvolt Files For Bankruptcy Protection In US

Northvolt files for Chapter 11 bankruptcy protection in the United States, and CEO and co-founder…

9 hours ago

UK’s CMA Readies Cloud Sector “Behavioural” Remedies – Report

Targetting AWS, Microsoft? British competition regulator soon to announce “behavioural” remedies for cloud sector

1 day ago

Former Policy Boss At X, Nick Pickles, Joins Sam Altman Venture

Move to Elon Musk rival. Former senior executive at X joins Sam Altman's venture formerly…

1 day ago

Bitcoin Rises Above $96,000 Amid Trump Optimism

Bitcoin price rises towards $100,000, amid investor optimism of friendlier US regulatory landscape under Donald…

1 day ago