O2 has apologised after it was forced to fix a security flaw which disclosed customers’ mobile phone numbers to every site they visited.
The mobile operator has said that the flaw resulted from technical changes implemented as part of routine maintenance and that it has been in contact with the Information Commissioner’s Office (ICO) and Ofcom.
“We investigated, identified and fixed it this afternoon. We would like to apologise for the concern we have caused,” it added.
The network explained that certain technical information about a user’s device was sent every time they browsed a website in order to enable optimisation, but that it also passed on the phone number to certain “trusted partners”.
It added that this was “standard industry practice” as it allowed operators to manage access to adult content, and allowed third parties to bill users for premium content and to identify customers using O2 services such as My O2.
O2 said that customers who accessed websites on its 3G and WAP mobile internet services between 10 January and 1400 25 January also shared their numbers with sites which were not “trusted partners” but added that the numbers could not be linked to any other identifying information.
“It seems that other networks now protect users against sharing your mobile number in this way but they do share an awful lot of information about the make and model of the phone you are using among other things,” commented Stuart Coulson, director of data centres for security firm Secarma. “This information can be used legitimately to modify the site for different phones, for example, but it seems like an excessive amount of personal information to take only for this purpose.”
The leak was exposed yesterday when a Twitter user named ‘Lewispeckover’ created a website after he discovered his number was being sent to websites when he used his mobile. The flaw was then confirmed by a test carried out by Sophoe senior technology analyst Graham Cluley, who also suggested that it had been known about for as long as two years.
The news is unlikely to ease concerns held by many that mobile users are not taking security seriously. McAfee research found that 70 percent of users said that they considered their devices to be safe from cybercrime, despite 67 percent not having even the basic level of security on their phone.
German foreign minister warns Russia will face consequences for “absolutely intolerable” cyberattack on ruling party,…
Google is reportedly laying off at least 200 staff from its “Core” organisation, including key…
Investor appeasement? Apple unveils huge $110 billion share buyback program, as sales of iPhone decline…
Tesla retreats from pioneering gigacasting manufacturing process, amid cost cutting and challenges at EV giant
No skynet please. After the US, UK and France pledge human only control of nuclear…
Microsoft's AI investments continue in south east Asia, after investments in Japan, Malaysia, Indonesia, as…
View Comments
Interesting that this has been 'known about for as long as two years'. O2's damage limitation yesterday on the evening news said that the flaw had only existed for about two weeks, i.e. since they were publicly caught out by the Twitter user. Were they lying or was the BBC misreporting them, or is the Sophos expert wrong?