“We investigated, identified and fixed it this afternoon. We would like to apologise for the concern we have caused,” O2 said in a post on its website.
O2 admitted that “technical information” including the mobile phone number if a handset is being used to browse the web, is passed to website owners. The mobile network said it was standard practice and passed this information as part of age verification when adult content is being accessed, as well as allowing third parties to bill O2 for premium services such as when ringtones are downloaded, and finally to identify customers using O2’s owns services, including its discounts scheme Priority Moments.
However, between January 10 and 2pm yesterday (Wednesday January 25) this “technical information” was potentially also made available to other websites apart from the usual parties. O2 stressed that only these that browsed the web using 3G or WAP were affected, while those that had used Wi-Fi would not have suffered from the glitch.
O2 blamed “technical changes as part of routine maintenance” for the flaw but says it has now been fixed.
The flaw was identified by a system administrator for a mobile gaming company and O2 customer, Lewis Peckover. He set-up a website that demonstrated the issue and allowed others to check if their number was being revealed. However, according to Graham Cluley, senior technology consultant at security firm Sophos, the issue “has been known about for almost two years at least”.
According to a blog by Cluley, Berlin student Collin Mulliner revealed the issue at the CanSecWest conference in Vancouver in March 2010. Not only did he present a paper on the topic entitled ‘Privacy Leaks in Mobile Phone Internet Access but the issue was also discussed and reported in the technology press.
O2 has also revealed it is in contact with the Information Commissioner's office regarding the data leak and “will be co-operating fully”. It also said it had informed regulator Ofcom about the incident.