O2 Attracts Most Data Breach Complaints In All Of Britain

Exclusive: An FOI request reveals O2 has attracted more data protection complaints in one year than Google and Sony combined

Major British operator O2 attracted more complaints relating to data breaches over the last year than any other public or private organisation in the UK, whilst the Department of Work and Pensions (DWP) received more than any government body.

The figures, revealed when TechWeekEurope made a freedom of information (FOI) request to the Information Commissioner’s Office (ICO), showed the watchdog received 48 complaints over alleged O2 data breaches between 28 August 2011 and the same date this year.

The ICO looked at complaints surrounding “disclosure of data” and “security”, both of which it said related to data protection issues and information breaches in particular.

O2 was caught up in a data protection storm in January this year, when a flawed update led to O2 disclosing customers’ mobile phone numbers to every site they visited.

O2 said a select group of “trusted partners” were handed phone numbers to manage age verification and premium content billing, as well as for identifying O2 customers for services such as the Priority Moments reward scheme. But the flaw meant numbers were also revealed to untrusted partners until the fix was issued.

The ICO was considering an investigation, but confirmed the issue was resolved in July, with no further action needed.

O2 had little to say on the FOI’s findings. “We take data protection very seriously,” an O2 spokesperson said.

“This is the number of complaints which the ICO has received, it does not necessarily mean that ICO upheld the complaints.

“The Privacy Policy on our website helps O2 customers understand how we manage their data and use their information – if they have any concerns, our Customer Service team are available to help.”

O2 more maligned than Google and Sony combined?

Yet O2 might want to take a hint from the data. The FOI request data shows Telefonica UK, the owner of the O2 brand, received more complaints than either Google and Sony combined, even though both were involved in high-profile investigations by the ICO following significant data breaches.

Since April 2011, when the massive Sony PlayStation Network breach happened, leaking data on 77 million users globally and 3 million in the UK, the ICO has only received six complaints relating to the Japanese electronics giant. Only one of those complaints mentioned the PSN breach, indicating UK gamers were not too bothered by the hack.

The ICO continues to investigate the Sony data breach. Having told this publication a decision was imminent way back in March, it has still not made an announcement. A spokesperson said today that a decision may be reached in the next few weeks. Our FOI request asked for access to communications between ICO and Sony, but this was declined as the ICO FOI team said public interest was not sufficient.

As for Google, the ICO figures revealed a mismatch between media interest and public concern. In a Wi-Fi data slurping debacle in 2010, known as “WiSpy”, Google’s Street View cars harvested personal data from any unencrypted Wi-Fi networks they encountered while mapping the UK’s roads. Despite media and regulator scrutiny, few people actually seem to have complained to the ICO about Google. 

Between 1 January 2009 and 28 August 2012, there were just 30 complaints relating to Google. Of those, 17 related to Street View, but 14 were only complaints about Street View images. Just three related to the Wi-Fi data slurping issue.

In July, the ICO reopened its investigation into that case, after fresh details emerged, as a US Federal Communications Commission (FCC) report found Google workers knew about the code that captured data, even though Google previously indicated the whole debacle was just a mistake.

The FCC report also suggested more personal data was collected than originally believed, including medical listings, information in relation to online dating and visits to pornographic sites.

Public sector problems

In the public sector, the Department of Work and Pensions (DWP) attracted more complaints than any other public sector body over the past year. However, it sparked 38 complaints over alleged breaches, which was less than O2’s total of 48.

This could give extra ammunition to those who have criticised the ICO for fining public bodies more often than it penalises those in the public sector.

Data protection issues at the DWP were also exposed by an FOI request put in by Channel 4’s Dispatches programme, which revealed in May that 992 DWP staff members had been disciplined for data offences in just ten months.

According to Computer Weekly, public bodies have sacked at least 120 employees for abusing access to the Customer Information System, thought to be the “largest government database of personal information in Europe”.

The DWP did not talk about the new figures directly, sending over this response from a department spokesperson: “The DWP employs nearly 100,000 staff serving over 20 million people at any one time, carrying out millions of data transactions a year.

“We take all complaints about data protection extremely seriously. We have a number of security measures in place to protect personal data and tough disciplinary procedures for any members of staff found to have breached data protection rules.”

ICO fines in question

Stewart Room, data protection lawyer and partner in Field Fisher Waterhouse’s Privacy and Information Law Group, said he was surprised by the  low numbers of complaints. That could undermine the ICO’s perceived authority to issue fines, as the watchdog has to base its monetary penalties on the effect on people’s lives.

“It suggests that members of the public in the UK are not as stressed out by data protection as the regulators might have us believe,” Room said – or else they may not actually know about the ICO and its powers.

“This is very important to the issue of financial penalties also, because ICO has to show a likelihood of harm – namely damage or distress – resulting from bad data protection before it can issue a fine.

“If people are not complaining in any meaningful sense, one wonders how it will be possible for ICO to claim a likelihood of harm when it comes to fines.”

UPDATE: The ICO wanted to make it clear that the FOI request was for alleged breaches where the nature of the complaint was recorded as security or disclosure of data only. The article has been amended slightly to make that clearer.

How well do you know Internet security? Try our quiz and find out!