Security is of the utmost importance to us and we take the protection of our customers’ data extremely seriously.
We have seen the report published this morning suggesting the potential for disclosure of customers’ mobile phone numbers to website owners.
We investigated, identified and fixed it this afternoon. We would like to apologise for the concern we have caused.
Below is a set of Q&As, to answer questions we've been receiving. If you have further questions, do leave them in the blog comments and we will do our best to answer as many as possible.
Q: What's happened with O2 mobile numbers when I browse the internet on my mobile?
A: Every time you browse a website (via mobile or desktop), certain technical information about the machine you are using, is passed to website owners. This happens across the internet, and enables website owners to optimise the site you see. When you browse from an O2 mobile, we add the user's mobile number to this technical information, but only with certain trusted partners. This is standard industry practice. We share mobile numbers with selected trusted partners for 3 reasons: 1) to manage age verification, which manages access to adult content, 2) to enable third party content partners to bill for premium content such as downloads or ring tones that the customer has purchased 3) to identify customers using O2 services, such as My O2 and Priority Moments. This only happens over 3G and WAP data services, not Wifi.
Q: How long has this been happening?
A: In between the 10th of January and 1400 Wednesday 25th of January, in addition to the usual trusted partners, there has been the potential for disclosure of customers’ mobile phone numbers to further website owners.
Q: Has it been fixed?
A: Yes. It was fixed as of 1400 on Wednesday 25th January 2012.
Q: Which of my information can website owners access?
A: The only information websites had access to is your mobile number, which could not have been linked to any other identifying information we have about customers.
Q: Why did this happen?
A: Technical changes we implemented as part of routine maintenance had the unintended effect of making it possible in certain circumstances for website owners to see the mobile numbers of those browsing their site.
Q: Which customers were affected?
A: It affected customers accessing the internet via their mobile phone on 3G or WAP services, but not Wifi, between 10th of January and 1400 on Wednesday the 25th of January.
Q: Which websites do you normally share my mobile number with?
A: Only where absolutely required by trusted partners who work with us on age verification, premium content billing, such as for downloads, and O2's own services, have access to these mobile numbers.
Q: The Information Commissioner said he is investigating - what are you doing as part of this?
A: We are in contact with the Information Commissioner's office, and we will be co-operating fully. We have also contacted OFCOM.
Update - 26 January 2012 - Additional Q&A's:
Q. Who are your trusted partners?
A. There are two instances where we share your mobile phone number with websites:
1. Trusted partner sites
Our trusted partners are those sites that require a mobile number when you visit them in order to offer you ringtones, wallpapers and content direct to your phone. We carefully vet these sites, and only work with them under contractual obligation, to ensure your mobile phone number is only used to bill you.
2. Age verification
We share mobile numbers with two age verification partners, for child protection purposes. For those customers that have not verified with us that they are over 18, we share your number with Bango.net and Eckoh.com who then verify your age before you are able to access sites with over 18 content. Your number is not shared further than these two partners.
Q: Can I opt out of O2 sharing my mobile number with these partners?
A. It is not possible to opt out of our age verification process, which exists for child protection purposes.
You can choose not to visit our trusted partners whose sites offer you ringtones, wallpapers and content direct to your phone. These sites require your mobile phone number in order to complete the purchase and charge it to your mobile bill.
Q. Why does everyone need to age verify?
A. To ensure that children are protected from inappropriate content when using the internet on their phones, we require customers to prove they are over 18 before they can use these sites. Access to 18+ rated websites is therefore blocked by default. Customers only have to age verify once. For more information on age verification, please see our website: https://ageverification.o2.co.uk/
Q: I want to leave O2 with immediate effect because you have breached T&Cs / shared my data without my consent. Can I?
A. This was a technical error that has now been rectified. We have not breached our terms of service. In light of this, customers’ contracts remain valid and O2 shall continue to provide you a service in accordance with your contract.
Q: How are you compensating customers?
A. As part of our usual business practice, we consider compensation claims where you can demonstrate material loss. Customers wishing to speak to us should do so through our normal channels, details of which can be found here.
Q: Who can I complain to?
A: Please contact O2 through our normal channels, details of which can be found here.
Q: How do I know this won’t happen again?
A: We take the security of our customers’ data extremely seriously. This was a one-off incident, which has now been fixed. We have fixed the problem and we are putting in additional measures to prevent a re-occurrence.
How can I stop you sharing my number, even with these 'trusted partners'? I'm happy to lose the features you've highlighted - age verification, premium downloads, etc.
Posted by: Paul Bennett | 25 January 2012 at 03:37 PM
Although I'm mildly horrified about this information disclosure, thanks for fixing it so promptly after it was brought to your attention.
What controls will be put in place to ensure this doesn't happen again?
Posted by: Rolphus | 25 January 2012 at 03:37 PM
I'm not comfortable with "trusted" partners. Just because you trust them with my information doesn't mean I do.
An opt-out is a must here.
Posted by: Neil Inglis | 25 January 2012 at 03:38 PM
Please can you make the list of sites that you pass the number to available? As opposed to stating the types of sites which you pass it to?
Posted by: Arsebiscuiting | 25 January 2012 at 03:38 PM
Will users be able to cancel their contracts without charge due to the DPA breach?
Posted by: Paul | 25 January 2012 at 03:39 PM
Full and quick response, well done. Sadly you should have been aware of this 2 weeks ago.
Posted by: Richard Walton | 25 January 2012 at 03:39 PM
This statemenet is false. You weren't just sending it to "trusted partners" but to every website I visited. How dare you state such a blatantly obvious lie.
Posted by: Jamie | 25 January 2012 at 03:39 PM
Please can you provide a list of all the websites that you provide my mobile number too.
Also, please provide information on how to opt out of this practice.
Posted by: Hdotnet | 25 January 2012 at 03:40 PM
What if I don't want you sharing my mobile telephone number with trusted partners..?
Posted by: Concerned Ed | 25 January 2012 at 03:41 PM
I'd prefer not to share my number with anyone - trusted or otherwise.
How do I opt out of this system?
Posted by: Rod Smith | 25 January 2012 at 03:41 PM
Partners? What partners? Why can't you just send a boolean value as to wether I am over 18 or not?
Posted by: Dave Mackintosh | 25 January 2012 at 03:42 PM
i had a text from a number i didnt know and ive been charged over £4 for it. im not happy!!
Posted by: angelahenshaw282@o2.co.uk | 25 January 2012 at 03:42 PM
Why don't you offer your customers an "opt-out" alternative even for so-called "trusted partners"?
Posted by: RB | 25 January 2012 at 03:42 PM
I'm glad it is fixed.
Now, what about O2 compressing images and inserting JS into web pages? Can we opt out? It effects customers on giffgaff and Tesco too.
Posted by: Simonhowes | 25 January 2012 at 03:43 PM
Q: Which websites do you normally share my mobile number with?
A: Only where absolutely required by trusted partners who work with us on age verification, premium content billing, such as for downloads, and O2's own services, have access to these mobile numbers.
This isn't a good enough answer.
Posted by: Rahul | 25 January 2012 at 03:43 PM
Pretty big error this! Can you name all the websites that can see our numbers and if O2 receive payment in any way from the sites?
Posted by: chris | 25 January 2012 at 03:43 PM
Thanks for fixing the problem, and this update. Please can you publish a list of your trusted partners, so we know which sites receive our personal information?
Posted by: Ian Bridgeman | 25 January 2012 at 03:46 PM
How can you claim it was selected trusted 3rd Parties when the site reporting this issue lew.io/headers.php had no affiliation with o2 and being a webmaster myself tested this on my site and I am none a trusted partner?
Posted by: Mike Brown | 25 January 2012 at 03:46 PM
for the 1st time every i have been receiving spam texts from unknown mob numbers this january. It sounds like this explains that - i had been wondering where they got my number. Can i file a complaint please?
Posted by: janet A | 25 January 2012 at 03:46 PM
@Jamie you might want to read the article again!
Posted by: Shaun Bent | 25 January 2012 at 03:46 PM
Hi Jamie, Mike, Jase Simpson, Davidbaldaro,
Check out Q: Why did this happen? Because of a maintenance change, it possible in certain circumstances for other websites to see the mobile number.
Posted by: O2 | 25 January 2012 at 03:46 PM
You're apologising for the 'concern caused' but not the mistake itself - isn't that a bit, well, weird?
Posted by: Sienna_Gee | 25 January 2012 at 03:46 PM
you failed to answer this question: Q: Which websites do you normally share my mobile number with?
rephrasing that: Explicitly list all websites & companies where my number will included within the http headers
Posted by: Ben Haskins | 25 January 2012 at 03:47 PM
In your Q&A above you state that only mobile number is visible, but when I checked from my blackberry I saw my Rim-device-id displayed.
Posted by: Dean_S | 25 January 2012 at 03:47 PM
Where is the list of "trusted" partners, and where did I give my permission for you to do this?
Also why do someone websites need "age verification" and my number for "premium content billing", when they don't need it on my desktop.
This has only brought to light a more serious issue.
Posted by: Jon889 | 25 January 2012 at 03:48 PM