UK network O2 has admitted a breach of customers' information and says it's now been fixed.
Earlier today, The Verge website revealed that O2 customers' mobile phone numbers were given away every time they browsed a website on their phones.
"British cellphone carrier O2 appears to be sending customers' cellphone numbers in HTTP header traffic, inserting the info in data sent to websites over O2's connection. Lewis Peckover discovered the problem this week and setup a website to document it. The site allows O2 users in the UK to check to see whether their number is being sent along with HTTP traffic. We have confirmed the issue on two O2 numbers in the UK, and our testing with other networks indicates it is isolated to O2. Orange, Three and Vodafone were unaffected in our tests".O2 very quickly came clean and admitted the mistake, blaming "routine maintenance", and says it's now put it right. It's posted an explanation and a Q&A on its blog:
(Source: O2 Blog)O2 mobile numbers and web browsing
Security is of the utmost importance to us and we take the protection of our customers’ data extremely seriously.
We have seen the report published this morning suggesting the potential for disclosure of customers’ mobile phone numbers to website owners.We investigated, identified and fixed it this afternoon. We would like to apologise for the concern we have caused.
Below is a set of Q&As, to answer questions we've been receiving. If you have further questions, do leave them in the blog comments and we will do our best to answer as many as possible.
Q: What's happened with O2 mobile numbers when I browse the internet on my mobile?A: Every time you browse a website (via mobile or desktop), certain technical information about the machine you are using, is passed to website owners. This happens across the internet, and enables website owners to optimise the site you see. When you browse from an O2 mobile, we add the user's mobile number to this technical information, but only with certain trusted partners. This is standard industry practice. We share mobile numbers with selected trusted partners for 3 reasons: 1) to manage age verification, which manages access to adult content, 2) to enable third party content partners to bill for premium content such as downloads or ring tones that the customer has purchased 3) to identify customers using O2 services, such as My O2 and Priority Moments. This only happens over 3G and WAP data services, not WiFi.Q: How long has this been happening?A: In between the 10th of January and 1400 Wednesday 25th of January, in addition to the usual trusted partners, there has been the potential for disclosure of customers’ mobile phone numbers to further website owners.Q: Has it been fixed?A: Yes. It was fixed as of 1400 on Wednesday 25th January 2012.Q: Which of my information can website owners access?A: The only information websites had access to is your mobile number, which could not have been linked to any other identifying information we have about customers.Q: Why did this happen?A: Technical changes we implemented as part of routine maintenance had the unintended effect of making it possible in certain circumstances for website owners to see the mobile numbers of those browsing their site.Q: Which customers were affected?A: It affected customers accessing the internet via their mobile phone on 3G or WAP services, but not WIFI, between 10th of January and 1400 on Wednesday the 25th of January.Q: Which websites do you normally share my mobile number with?A: Only where absolutely required by trusted partners who work with us on age verification, premium content billing, such as for downloads, and O2's own services, have access to these mobile numbers.Q: The Information Commissioner said he is investigating - what are you doing as part of this?A: We are in contact with the Information Commissioner's office, and we will be co-operating fully. We have also contacted OFCOM.
Comments