Security is of the utmost importance to us and we take the protection of our customers’ data extremely seriously.
We have seen the report published this morning suggesting the potential for disclosure of customers’ mobile phone numbers to website owners.
We investigated, identified and fixed it this afternoon. We would like to apologise for the concern we have caused.
Below is a set of Q&As, to answer questions we've been receiving. If you have further questions, do leave them in the blog comments and we will do our best to answer as many as possible.
Q: What's happened with O2 mobile numbers when I browse the internet on my mobile?
A: Every time you browse a website (via mobile or desktop), certain technical information about the machine you are using, is passed to website owners. This happens across the internet, and enables website owners to optimise the site you see. When you browse from an O2 mobile, we add the user's mobile number to this technical information, but only with certain trusted partners. This is standard industry practice. We share mobile numbers with selected trusted partners for 3 reasons: 1) to manage age verification, which manages access to adult content, 2) to enable third party content partners to bill for premium content such as downloads or ring tones that the customer has purchased 3) to identify customers using O2 services, such as My O2 and Priority Moments. This only happens over 3G and WAP data services, not Wifi.
Q: How long has this been happening?
A: In between the 10th of January and 1400 Wednesday 25th of January, in addition to the usual trusted partners, there has been the potential for disclosure of customers’ mobile phone numbers to further website owners.
Q: Has it been fixed?
A: Yes. It was fixed as of 1400 on Wednesday 25th January 2012.
Q: Which of my information can website owners access?
A: The only information websites had access to is your mobile number, which could not have been linked to any other identifying information we have about customers.
Q: Why did this happen?
A: Technical changes we implemented as part of routine maintenance had the unintended effect of making it possible in certain circumstances for website owners to see the mobile numbers of those browsing their site.
Q: Which customers were affected?
A: It affected customers accessing the internet via their mobile phone on 3G or WAP services, but not Wifi, between 10th of January and 1400 on Wednesday the 25th of January.
Q: Which websites do you normally share my mobile number with?
A: Only where absolutely required by trusted partners who work with us on age verification, premium content billing, such as for downloads, and O2's own services, have access to these mobile numbers.
Q: The Information Commissioner said he is investigating - what are you doing as part of this?
A: We are in contact with the Information Commissioner's office, and we will be co-operating fully. We have also contacted OFCOM.
Update - 26 January 2012 - Additional Q&A's:
Q. Who are your trusted partners?
A. There are two instances where we share your mobile phone number with websites:
1. Trusted partner sites
Our trusted partners are those sites that require a mobile number when you visit them in order to offer you ringtones, wallpapers and content direct to your phone. We carefully vet these sites, and only work with them under contractual obligation, to ensure your mobile phone number is only used to bill you.
2. Age verification
We share mobile numbers with two age verification partners, for child protection purposes. For those customers that have not verified with us that they are over 18, we share your number with Bango.net and Eckoh.com who then verify your age before you are able to access sites with over 18 content. Your number is not shared further than these two partners.
Q: Can I opt out of O2 sharing my mobile number with these partners?
A. It is not possible to opt out of our age verification process, which exists for child protection purposes.
You can choose not to visit our trusted partners whose sites offer you ringtones, wallpapers and content direct to your phone. These sites require your mobile phone number in order to complete the purchase and charge it to your mobile bill.
Q. Why does everyone need to age verify?
A. To ensure that children are protected from inappropriate content when using the internet on their phones, we require customers to prove they are over 18 before they can use these sites. Access to 18+ rated websites is therefore blocked by default. Customers only have to age verify once. For more information on age verification, please see our website: https://ageverification.o2.co.uk/
Q: I want to leave O2 with immediate effect because you have breached T&Cs / shared my data without my consent. Can I?
A. This was a technical error that has now been rectified. We have not breached our terms of service. In light of this, customers’ contracts remain valid and O2 shall continue to provide you a service in accordance with your contract.
Q: How are you compensating customers?
A. As part of our usual business practice, we consider compensation claims where you can demonstrate material loss. Customers wishing to speak to us should do so through our normal channels, details of which can be found here.
Q: Who can I complain to?
A: Please contact O2 through our normal channels, details of which can be found here.
Q: How do I know this won’t happen again?
A: We take the security of our customers’ data extremely seriously. This was a one-off incident, which has now been fixed. We have fixed the problem and we are putting in additional measures to prevent a re-occurrence.
Update - 2 April 2012 - Additional Q&A's:
Q: Why have you not published a list of partners?
A: We have not published a full list of partners due to the variety of publicity and confidentiality provisions we have in their contracts. We would reiterate, though, that these are websites where a mobile phone number is needed to bill for content purchased. The billing is done by premium text message which appears on your mobile phone bill. All mobile operators have similar arrangements with partners to ensure that customers are billed correctly for the content purchased.
Q: What else is O2 doing about this?
A: Over the coming months we will be moving to a system where the mobile phone number is not identifiable in the header information for any website a customer would visit to purchase content. This will also apply to the process we have with our two age verification partners, Bango and Eckoh, for those customers that have not verified with us that they are over 18.
This is still completely unacceptable. There is absolutely no reason why personal data such as my telephone should ever have been sent IN THE CLEAR to even trusted partners. An arbitrary unique identifier, unusable without context, that refers to my account in your database would've been just as useful since these "trusted partners" would have to refer to you for billing anyway.
Posted by: Ryan | 25 January 2012 at 03:48 PM
We need the option to prevent our mobile number being sent to ANY website. O2 may trust them but we may not. #O2privacy_FAIL
Posted by: Bill | 25 January 2012 at 03:48 PM
Can you please provide a complete list of these "trusted partners" my mobile number is being shared with? Can you also provide a mechanism to opt out of sharing my private information with your "trusted parties"?
Posted by: Chris S | 25 January 2012 at 03:48 PM
= You didn't fully answer your own question. "Which websites do you normally share my mobile number with?" The actual names of which websites would be useful. = Where did I sign up to allowing you to share my personal information?
= How does giving my phone number to a site prove that I am or am not over 18?
Posted by: Alan Smith | 25 January 2012 at 03:48 PM
I think this is a pretty reasonable response, except for two phrases:
"there has been the potential for disclosure of customers’ mobile phone numbers to further website owners."
It's not a "potential" disclosure, there _was_ a disclosure of the phone number of many of your customers, whether the website owner chose to use it or not. You sent the number, regardless of the website actions.
You say a similar thing later, saying
"possible in certain circumstances for website owners to see the mobile numbers of those browsing their site."
You say that as if you're attempting to make it sound like the circumstances are rare, or uncommon, but let's be honest, it was very common, and indeed would be the "normal circumstances" for your phones (including mine).
Posted by: Ewan | 25 January 2012 at 03:48 PM
What were the "certain circumstances"?
Sounds like nonsense to me. Man up and take responsibility for your error.
Posted by: David Hodgson | 25 January 2012 at 03:49 PM
I have 2 questions:
1. Can we have a list of these "trusted partners".
2. How do we opt-out of this? So that even "trusted" partners are not given our data.
Posted by: Sean | 25 January 2012 at 03:49 PM
Read the article again Jamie, you weren't lied to.
Posted by: perksie | 25 January 2012 at 03:49 PM
I get what you mean, but your Q&A is badly worded, so confusion, such as the one voiced by Jamie above is going to be pretty common
Posted by: Patrick | 25 January 2012 at 03:49 PM
1. Who are these 'trusted partners'?
2. How do I opt out of you sharing my private, unlisted number with these 'trusted partners', in accordance with the Data Protection Act?
3. Why would they need my number for age verification when all you'd need to tell them is a Yes or No?
Posted by: Ian Ferguson | 25 January 2012 at 03:50 PM
Looks like some people are far too quick to comment without actually reading the full article.
Posted by: Daniel Samuels | 25 January 2012 at 03:50 PM
Please can you release a full list of your "trusted partners" who you usually leak my phone number to.
Posted by: Edd | 25 January 2012 at 03:50 PM
As a paying customer, I still want to see a list of all "trusted partners" and web sites you share my mobile phone number with going forward, so that I can choose whether or not to grant them access to that personal data by visiting their sites.
Posted by: Hanners1979 | 25 January 2012 at 03:50 PM
Please can we have a list of 'trusted sites'. You trust them but I would like to make my own decision on whether I want to share my number with any given site.
Posted by: Tudor Watson | 25 January 2012 at 03:50 PM
Good job on damage limitation 02, a crisis situation dealt with in the best possible way
Posted by: Joel | 25 January 2012 at 03:51 PM
I am outraged! I've not read this but I'm still outraged! I'm going to write an angry letter using my green crayon.
Posted by: Jamie McTard | 25 January 2012 at 03:51 PM
Did we give our permission for our mobile phone numbers to be shared with "trusted parties"? Where in the small print was this stated? How does this square with the Data Protection Act?
Posted by: Ben Werdmuller | 25 January 2012 at 03:51 PM
Sorry - when you say "there has been the potential for disclosure of customers’ mobile phone numbers to further website owners" are you being entirely truthful?
There were a large number of websites reporting they can see O2 phone numbers in the logs. Do you have an example of the sites where you didn't send the data?
Posted by: Paul Thompson | 25 January 2012 at 03:51 PM
Can you list the third parties our numbers are shared with, and is there any sort of opt-out or gateway that lets us know when this is happening?
Posted by: Rolphus | 25 January 2012 at 03:51 PM
"The only information websites had access to is your mobile number, which could not have been linked to any other identifying information we have about customers."
Unless the 3rd party website also had information about you, in which case they can now link this to the mobile number.
Posted by: Concerned | 25 January 2012 at 03:52 PM
will o2 be offering a service to block the unsolicited text i have been receiving since December. Which i am guessing got my number from O2's data protection breach
Posted by: chris | 25 January 2012 at 03:52 PM
How about a list of these trusted partners that you are sharing our numbers with? Would be nice to know!
Posted by: Nathan | 25 January 2012 at 03:52 PM
The number shouldn't be sent to any party no matter how much you claim to trust them.
Posted by: Duncan | 25 January 2012 at 03:52 PM
Could you please point out in T&C's where it says you have permission to provide my mobile number to "trusted" third parties, who these trusted parties are and how often this information is released without my consent.
Also, what did it take you two weeks to realise this information was being "unknowingly" released? If it had not been brought to your attention, when would you have next checked to ensure your customers data wasn't being released unlawfully?
Posted by: Chris | 25 January 2012 at 03:52 PM
HI O2,
Unfortunately this is confusing in your post. You should reword to state that up front, or at least in the "Why did this happen?" section that the breach made it possible for "any website, not just your trusted partners" to see this information.
This is not something that is clear from the post, sorry.
Jamie
Posted by: Jamie | 25 January 2012 at 03:52 PM