O2 Phone Number Leaking Scandal

piper99 · Joined: 31 Aug 2009 Location: Middle Of Nowhere

O2’s sending some customer phone numbers to sites they visit…
It seems that not everyone’s number is being exposed by O2. We’ve tested it and we can confirm that O2 sends our phone number to the websites we visit. Others haven’t seen it, so perhaps it’s only a certain subset of O2 customers that are affected. But it does seem that the majority of O2 users are seeing their number sent out.

…in the header data that’s sent out when you request a site…
Your number is apparently included in the HTTP header data that’s sent out every time you request something from a server, like a site, image or video. You can check to see if you’re affected by going to Lewis Peckover’s handy header reporting site, IsMyNumberVisible (warning: this might be a scam according to commenters below), or the MNO Privacy Checker.

…only when you’re on the O2 network…
O2 only sends out your number when you’re on its network. That means if you’re on Wi-Fi on an O2 phone, you’re not broadcasting your number like you would be if you were on 2/3G. It also doesn’t seem to be affecting dongles, at least those of the 4G variety.
Other MVNOs running on the O2 network, like GiffGaff and Tesco mobile for instance, also seem to be exposing your number. That’s not really a surprise considering O2 provides the infrastructure on which they run. Anything that affects O2 should also affect anything else using O2’s network.

…and using any phone other than a BlackBerry…
It was first assumed to be something to do with the phone and browser you were using, but that doesn’t seem to be the case. Various users have reported seeing their numbers on Android, iOS and Windows Phone devices. The only devices that seem to be excluded from the number-sharing party are BlackBerrys. That’s probably because all data, including web browsing, email and anything else, is funnelled through RIM’s servers, which potentially protects you from this kind of thing.

…which allows the sites to collect your data…
The problem won’t be the majority of sites; they don’t generally capture header data. It’ll be the nefarious sites; the ones that are after your personal data that’ll be the problem. It’s apparently been happening for various networks for a while now, but the issue has now been blown out to the wind, so there’s no reason number phishing sites won’t crop up, if they’re not out there already. Now is the time to be super careful about that shortened link someone just sent you, if you’re an O2 customer.

…but more than that, any advert or email image can expose your number…
The problem of sending your number out in the HTTP header isn’t just about sites being able to grab it. Any advert on a site you visit will also get access to that data. So you could see legitimate sites poisoned by an advert that captures that data, ending up with you getting spammed.
It doesn’t just stop with web browsing either; images in emails are downloaded from servers and as your phone contacts the server to pull down the image, O2 will send over your header information, so you’re being exposed there too.

…and that could mean any unscrupulous miscreant phishing via email could get your number…
Exposing your number via email is potentially worse, from a phishing point of view at least. The good old spammers can now get in on the act too, as they only have to include an image in their emails to you to grab your phone number if you download it while on O2’s cellular network.

…and that means you’re vulnerable to spam texts and nuisance calls…
Some private person getting your phone number is one thing. They’re probably not going to ring it, and even if they do they’ll probably get bored trying to harass you and give up. The spammers though, they feel no such thing as boredom. If a spammer gets your number, you could be inundated by spam texts, cold calls, recorded messages, you name it. Unfortunately, although that kind of thing is illegal in the UK without consent, there’s not much in the way of recourse when it’s got that far. You’ll probably just have to change your number.

…and the ICO’s not happy either…
The Information Commissioner’s Office has got involved now too, and is in the process of investigating the issue to see what’s really happening. In a statement sent to Which? ICO said:
“Keeping people’s personal information secure is a fundamental principle that sits at the heart of the Data Protection Act and the Privacy and Electronic Communications Regulations. When people visit a website via their mobile phone they would not expect their number to be made available to that website.”
“We will now speak to O2 to remind them of their data breach notification obligations, and to better understand what has happened, before we decide how to proceed.”
So it looks like it’s not just customers that are getting mad about this. Then again there’s a debate over whether your phone number without your name is personally identifiable information, and whether this is a matter for ICO in the first place.

…so O2 really needed to put a stop to this for everyone, pronto…
O2 is currently investigating the issue, calling it a “top priority”, and by golly it should be. It’s probably nothing malicious on O2’s part; just a balls-up somewhere. I can’t see a reason why O2 would want to send out your number, apart from to its own websites to help identify you as a customer. It’s possible that your number is only meant to go to O2 sites, and someone somewhere has flicked a switch to always send it out, or failed to screen out every other site.
Whatever happens, perhaps now would be a good time to stick to Wi-Fi browsing if you are on O2 and not using a BlackBerry. I would also check to see if your number is being broadcast using one of the three sites mentioned above, because it seems not everyone is afflicted and you might be lucky.

…and thankfully it looks like O2′s managed to plug its leak…
That was quick. It looks like O2′s fixed or is in the process of fixing the bug that was broadcasting your number. Tweets and status updates are coming in that O2 users’ phone numbers are no longer being shown. We can corroborate that too:

Same phone, same site, no number. Let’s hope that’s the end of the number leak, but O2 might face some stiff repercussions if the ICO deems the leak to be a breach of privacy. If you’re an O2 customer, I would still stay clear of using 2/3G until O2 comes out and confirms its fixed the problem — better safe than sorry. Then again you can always check for yourself.

…and now it’s come out and apologised.
O2′s written up an apology, of sorts. It’s apparently been sharing user’s numbers with any and all sites browsed over its network since the 10th of January, but managed to shut it off today at 2pm. Apparently it was routine maintenance that caused the problem.
The interesting bit, however, is that O2 shares your phone number with “trusted partners” for “age verification, premium content billing, such as for downloads, and O2′s own services”, which is a “standard industry practice”. That may not come as a surprise to anyone, but it would be nice if we were made aware of this at the time and with whom we’d be sharing our number with.
I’m sure that any network that uses the adult content filter that requires a credit card to prove you’re over 18 to remove for instance, probably does this on the basis of your phone number as an identifier. I suspect there’ll be repercussions coming out of this phone number sharing balls up, not necessarily just limited to O2, now that we know they give out our phone numbers as we browse particular sites. It certainly would be nice to know who these ”trusted partners” are.

Bradley · Joined: 02 Jun 2011

This might be the final straw for me and O2 and I think I will be checking out the competition when my contract expires in 2 months time