O2 Being Watched Over Phone Number Privacy Leak
O2 is being watched by The Information Commissioner's Office after it was yesterday revealed to have shared mobile 3G users' phone numbers with every website they visited.
O2 acted on the issue, which was repaired yesterday, but The ICO told The Huffington Post via telephone that
a number of complaints by O2 customers mean the ICO is now paying close attention to the UK mobile carrier.
Yesterday afternoon, O2 told Huffington Post via email: “We have seen the report published this morning suggesting the potential for disclosure of customers’ mobile phone numbers to website owners. We have investigated, identified and fixed it this afternoon. We would like to apologise for the concern we have caused. Further information can be found here: http://j.mp/MPNblog”
On the company's blog, they wrote "We are in contact with the Information Commissioner's office, and we will be co-operating fully."
In a statement, the ICO wrote: "Keeping people's personal information secure is a fundamental principle that sits at the heart of the Data Protection Act and the privacy and electronic communications regulations. When people visit a website via their mobile phone they would not expect their number to be made available to that website. We will now speak to O2 to remind them of their data breach notification obligations, and to better understand what has happened, before we decide how to proceed."
The phone number leak was brought to the company's attention yesterday by Lewis Peckover, a 28 system administrator from London, who works for a company specialising in mobile gaming.
He tweeted @O2 to let them know that O2 customers' private numbers were being left on websites when browsing the internet using the O2 3G network.
The online privacy issue had been raised by online security company Sophos in 2010, though no response was received.
Sophos told the Huffington Post that the privacy leak was more likely a mistake than a malicious attempt to share user details.
Graham Graham Cluley, senior technology consultant at Sophos said the danger in sharing user phone numbers is that it could be used for phishing or spam.
Despite O2's apology, many customers remain disgruntled and left comments on the O2 blog asking for the full list of sites that received their phone numbers.
One commenter on their blog wrote "Will users be able to cancel their contracts without charge due to the DPA breach?"
Some were gentle, writing "Full and quick response, well done. Sadly you should have been aware of this 2 weeks ago."
Others were not so forgiving. One commenter wrote "This statemenet (sic) is false. You weren't just sending it to "trusted partners" but to every website I visited. How dare you state such a blatantly obvious lie."
O2 were contacted for further comment today, but did not respond.
Tap into the Twitter outrage below.