/ Technology

Is O2 sharing your phone number with the sites you visit?

Like to do a little bit of web browsing on your mobile? Well, you could be giving out more information than you think. In fact, if you’re with O2, this provider could be sharing your phone number with the sites you visit.

You may not know it, but when you visit a website from your mobile, you’re sharing information about your phone in the HTTP header of your web browser. This includes what browser you’re using and what phone you own. This helps websites display content in the best way on your mobile.

However, what if your network provider was sharing more than that? What if it was handing out your phone number?

Your phone number is…

Well, on Twitter, Lewis Peckover (@lewispeckover) discovered that O2 is doing just that, albeit unwittingly. While you’re happily browsing your favourite sites (Which? Convo being one I hope) you could be unwittingly handing over your phone number. Well, that is, O2 is unwittingly giving out your number.

Most sites don’t record this type of information, and even if they do it’s unlikely that reputable sites are taking advantage of this phone number leak.

However, now that we know this information is being thrown about, malicious websites might not be so discerning. If you use your phone for a lot of browsing, you could receive spam texts galore and – even worse – scams.

You can see whether you’re affected by going to Lewis Peckover’s website from your phone. We’ve tested this in the office on phones using O2’s network, and even on GiffGaff which runs on the O2 network, and they both gave out the phone number.

When we did the same on Virgin, Vodafone, T-Mobile/Orange and 3 phones, a number was not recorded.

Is your provider giving out your number?

We’ll be very interested to see whether your phone is sharing your phone number too, so please try it out on Lewis’ website and tell us in the comments, along with the network provider you use. Dr Rob Reid, Which? scientific policy advisor, comments on the leak:

‘Phone numbers are personal data and as such O2 could be in breach of the Data Protection Act. As a result the Information Commissioner’s Office (ICO) should investigate how this has happened and if it feels O2 has breached the Act, the ICO should take enforcement action.

‘O2 needs to take action to resolve this immediately, inform all of those affected and advise them on the steps they should take to protect themselves.’

We’re in touch with O2, which has said on Twitter that it is looking into the problem, so we’ll share any statement with you as soon as we get it. Hopefully they’ll close this loophole soon – otherwise people might start switching mobile provider.

[UPDATE 12.10pm 25/01/12] – We contacted the Information Commissioner’s Office (ICO) about this, which makes sure companies adhere to data privacy laws in the UK, and it sent us this statement:

‘Keeping people’s personal information secure is a fundamental principle that sits at the heart of the Data Protection Act and the Privacy and Electronic Communications Regulations. When people visit a website via their mobile phone they would not expect their number to be made available to that website.

‘We will now speak to O2 to remind them of their data breach notification obligations, and to better understand what has happened, before we decide how to proceed.’

[UPDATE 3.45PM 25/01/12] – O2 has confirmed that it has fixed the problem, releasing the following statement along with an online Q&A:

‘Security is of the utmost importance to us and we take the protection of our customers’ data extremely seriously.

‘We have seen the report published this morning suggesting the potential for disclosure of customers’ mobile phone numbers to website owners.

‘We investigated, identified and fixed it this afternoon. We would like to apologise for the concern we have caused.’

Simon Parkyn says:
25 January 2012

I’ve just checked my phone on Lewis Peckover’s website above and yes my number was displayed in the headers. I’m on giffgaff and I’m quite annoyed!

Same here Simon – GiffGaff runs on the O2 network, so it is clearly added at some point in the chain when they both converge. I have been heretofore very pleased with both O2 and GiffGaff, so I’m quite disappointed to see such a blatant disregard for my privacy.

Hi folks,

I’m Craig from the giffgaff community team. As Patrick has said, we’ve been made aware of this and wanted to update you with some news from our side.

The privacy and security of our customers and community are really, really important to us – our utmost concern in fact. As a result, we’re looking into this as a top priority. Initial impressions are that this appears to be an O2 network issue, but of course we’ll need to confirm this.

If you’d like to keep a track of this on our side of things, we’ll be updating and discussing on our community this thread fgaff.com/t5/Service-Updates-Notice-board/Mobile-Number-Information-Issue-25-01-11/m-p/2854061/highlight/false#M25550) – and be back with news there as soon as we have info.

Many thanks,


Just checked on O2 and no number appears on either iPhone or iPad.

It appears to be only effecting users who are using the wap.o2.co.uk APN to access the internet. Changing these details to mobile.o2.co.uk and the username to o2web rather than o2wap will stop addition of the extra headers.

The iPhone 4S and the Galaxy Nexus both seem to default to these APNs which is why some users haven’t been seeing the issue.

It also seems that a number of o2 services only require phone number for security as detailed on http://blog.networksaremadeofstring.co.uk/2012/01/25/potential-social-engineering-avenues-resulting-from-the-o2-header-issues/ which could lead may scams against phone owners who don’t know about this leak.

Steve says:
25 January 2012

It appears to be more complicated than that.

My phone number is being passed to websites and my iPhone 4 APN is set to use idata.o2.co.uk

mister squirrel says:
25 January 2012

For once I am glad to say thank god I’m using BlackBerry as the O2 number giving out doesn’t affect BlackBerry users (I don’t say “thank god I’m using a BlackBerry” that often)

This is very bad for Telefonica Uk, Who run on O2 mobile network in the Uk, & Run such networks as, O2, Tesco Mobile PAYG & Monthly, GiffGaff.Co.Uk PAYG Online only.

How does one know if there mobile numbers been recorded using the above website?.

sloany says:
25 January 2012

loones, Think you’ll find the IP address with be the IP Address of the server the handset is connected to as far as I know IP addresses are not used on the GPRS network, the routing from the server to the mobile is carried out by the networks servers. So it may not be as clear cut as you think.

source = http://en.wikipedia.org/wiki/GPRS_Core_Network

Bhoy Fett says:
26 January 2012

With this supposed breach of certain rules/regulations/guidelines, is there sufficient grounds to terminate your contract without penalty?

I recall many leaving O2 after call charges were restructured a few years ago and they could not penalise customers wishing to sever their contract early.

After this data breach, it does leave me considering how reliable my network operator is.

I’m really curious about the reason they need to share my phone number with trusted partners anyway. They say that it’s for checking that I’m over 18 – but this kind of identification can surely be done by sending a binary value (over 18? yes/no). Sending my entire number would seem irrelevant.

It also contradicts the initial part of their statement (which has now been edited to add more detail) where they said that your phone number wasn’t linked to any other identifying information about you. If that’s the case, how can it be used to tell that I’m over 18? or to provide me with ‘download and paid-for services’ for billing purposes? I don’t really understand, and would appreciate some more clarity on this.

I’m actually not with O2, but with giffgaff, and I think we’re affected in almost exactly the same way.

Extremely good point about the binary value for the age control.

Also, for billing purposes, they could send a unique billing ID rather than your mobile number…a number which is meaningless to anybody outside O2.

Yes – a unique ID would work well too.

daffieduck says:
26 January 2012

I would be very grateful if someone could provide the instructions on how to check if my telephone number has been compromised

Baz Cleaver says:
30 January 2012

Can I claim compensation from O2 for divulging my personal details?
And if so, how much would they likely pay out?
I’m seriously not happy with this breach of security.
It’s disgusting.

Baz Cleaver says:
30 January 2012

Cheers Patrick! Thank you!
Your a good un!

Which Conversation-Comment-Is O2 Sharing Your Phone Number-16Apr2012

The more I look into this supposed mishap, the more suspicious I become. Indeed, the O2 official statement confirms that the only true accident was that the data were shared with every Website, rather than just a selected list of ‘partners,’ with whom Telefónica UK Limited (a.k.a. O2 UK) has commercial agreements. These partners are not defined or listed anywhere! O2 are likely building a loyalty scheme of partners who share personal data for marketing and product development with each other. If so, when did we join this scheme?

I have been digging into the terms and conditions in O2’s latest (2011) Pay-Monthly Contracts and its official Privacy Policy. The data sharing practices mentioned in these documents might make you shudder.

First, there is the basic contradiction regarding whether you opt-out or opt-in to sharing data with these non-specific partners and others. The Contracts outline an Opt-Out approach, i.e. as soon as the new contract applies (e.g. upgrade, purchase a new service plan or SIM, purchase an add-on [?], account migration [?]) your data can be immediately distributed; you must notify O2 (and wait) if you do NOT wish your details, including phone number, other personal identifying information, and usage data being shared for marketing and other purposes. The Privacy Policy outlines an Opt-In approach. Which is to be believed?

Second, O2 seems to be aggressively migrating accounts over to their latest in-house O2 billing system, i.e. if, like me, you had an account via a retailer such as Carphone Warehouse or Phones 4u, you may find that, without notice or consent (unlawful?), your account has been migrated directly onto O2. This may imply a different contract being forced upon you, as the retailer is no longer the billing company. I also discovered that a different phone plan had been forced upon me (fraud?); but a search of the net reveals that I am far from alone in seeing this ‘migration’ apparently used when O2 suddenly makes a service plan or feature obsolete, e.g. pay-upfront-for-life [PUFFL] or rollover minutes. A legal test is whether this results in “material detriment.” Well, changing contract terms, changing service plans, and, in my case, I now have no working SIM… seem to meet that definition. Worse, O2 has thus far refused to deal with my contractual or migration questions, insisting I continue to pay what had become a non-competitive rate (twice going price) for my ‘new’ monthly service (years since my initial 12-month ‘sentence’ was completed), de facto consenting to the new contract without discussion. In any case, the migration had failed and would not allow me to pay, so my SIM was barred. And that treatment is after more than a decade as a loyal O2 customer (a.k.a. ‘muppet’)!

Third, I have reviewed statements in the industry press, by various O2 executives, confirming their intentions to build a huge customer relationship management (CRM) database in the Czech Republic to exploit our data for marketing and other purposes.

Fourth, the O2 official explanation ( http://blog.o2.co.uk/home/2012/01/o2-mobile-numbers-and-web-browsing/ ) refers to “trusted partners who work with us on age verification…premium content…” But why should merely landing upon a site, which could be accidental, result in automatic disclosure of your phone number? I can see if you click on some upfront ‘age confirm’ panel or at the point of purchase (although other identifiers could and should be used), but not until those conscious decision points had been reached. Also, as of 02 January 2012, and despite many commenters (on the O2 official statement), O2 has refused to identify the list of ‘trusted partners’, let alone any other ‘partners’. We have a right to know with whom our personal data are being shared.

I am not buying the O2 official explanation. The comments on the O2 board suggest many customers remain sceptical. IMHO consumer watchdogs like Which? and the various regulators, Otelo (8 weeks of delay), Ofcom (toothless?), and the Information Commissioner, should continue to investigate.

Oh, and this O2 data sharing policy applies to all Telefónica Group subsidiaries (that’s worldwide, including regions without EU or strong data protection laws!) and ‘their’ partners. It also includes subsidiaries not obviously O2 or Telefónica, e.g. GiffGaff is a wholly-owned (with shared staff) O2 subsidiary not an independent MVNO as many of its customers (I nearly fell for it) still believe. Start shuddering!

Patrick Lee says:
4 July 2012

I use a phone paid for but never used by my partner. today, I received a spam text addressed directly to her using her name. I am with O2. as she has never used this phone or this number, I can only assume that her details came from O2. In dialogue they have denied that they have handed out the number and details associated with it and suggested that I complete a long and tedious online form so that they could pursue this despite knowing, the number, my name, my email address. Is O2 handing out information? what can I do about this?