O2 Apologises and Fixes Number Leak Security Flaw

O2 has apologised after it was forced to fix a security flaw which disclosed customers’ mobile phone numbers to every site they visited.

The mobile operator has said that the flaw resulted from technical changes implemented as part of routine maintenance and that it has been in contact with the Information Commissioner’s Office (ICO) and Ofcom.

Trusted Partners

“Security is of the utmost importance to us and we take the protection of our customers’ data extremely seriously,” said O2 in a blog post yesterday. “We have seen the report published this morning suggesting the potential for disclosure of customers’ mobile phone numbers to website owners.”

“We investigated, identified and fixed it this afternoon. We would like to apologise for the concern we have caused,” it added.

The network explained that certain technical information about a user’s device was sent every time they browsed a website in order to enable optimisation, but that it also passed on the phone number to certain “trusted partners”.

It added that this was “standard industry practice” as it allowed operators to manage access to adult content, and allowed third parties to bill users for premium content and to identify customers using O2 services such as My O2.

O2 said that customers who accessed websites on its 3G and WAP mobile internet services between 10 January and 1400 25 January also shared their numbers with sites which were not “trusted partners” but added that the numbers could not be linked to any other identifying information.

Twitter Alarm

“It seems that other networks now protect users against sharing your mobile number in this way but they do share an awful lot of information about the make and model of the phone you are using among other things,” commented Stuart Coulson, director of data centres for security firm Secarma. “This information can be used legitimately to modify the site for different phones, for example, but it seems like an excessive amount of personal information to take only for this purpose.”

The leak was exposed yesterday when a Twitter user named ‘Lewispeckover’ created a website after he discovered his number was being sent to websites when he used his mobile. The flaw was then confirmed by a test carried out by Sophoe senior technology analyst Graham Cluley, who also suggested that it had been known about for as long as two years.

The news is unlikely to ease concerns held by many that mobile users are not taking security seriously. McAfee research found that 70 percent of users said that they considered their devices to be safe from cybercrime, despite 67 percent not having even the basic level of security on their phone.