/ Technology

Is O2 sharing your phone number with the sites you visit?

Like to do a little bit of web browsing on your mobile? Well, you could be giving out more information than you think. In fact, if you’re with O2, this provider could be sharing your phone number with the sites you visit.

You may not know it, but when you visit a website from your mobile, you’re sharing information about your phone in the HTTP header of your web browser. This includes what browser you’re using and what phone you own. This helps websites display content in the best way on your mobile.

However, what if your network provider was sharing more than that? What if it was handing out your phone number?

Your phone number is…

Well, on Twitter, Lewis Peckover (@lewispeckover) discovered that O2 is doing just that, albeit unwittingly. While you’re happily browsing your favourite sites (Which? Convo being one I hope) you could be unwittingly handing over your phone number. Well, that is, O2 is unwittingly giving out your number.

Most sites don’t record this type of information, and even if they do it’s unlikely that reputable sites are taking advantage of this phone number leak.

However, now that we know this information is being thrown about, malicious websites might not be so discerning. If you use your phone for a lot of browsing, you could receive spam texts galore and – even worse – scams.

You can see whether you’re affected by going to Lewis Peckover’s website from your phone. We’ve tested this in the office on phones using O2’s network, and even on GiffGaff which runs on the O2 network, and they both gave out the phone number.

When we did the same on Virgin, Vodafone, T-Mobile/Orange and 3 phones, a number was not recorded.

Is your provider giving out your number?

We’ll be very interested to see whether your phone is sharing your phone number too, so please try it out on Lewis’ website and tell us in the comments, along with the network provider you use. Dr Rob Reid, Which? scientific policy advisor, comments on the leak:

‘Phone numbers are personal data and as such O2 could be in breach of the Data Protection Act. As a result the Information Commissioner’s Office (ICO) should investigate how this has happened and if it feels O2 has breached the Act, the ICO should take enforcement action.

‘O2 needs to take action to resolve this immediately, inform all of those affected and advise them on the steps they should take to protect themselves.’

We’re in touch with O2, which has said on Twitter that it is looking into the problem, so we’ll share any statement with you as soon as we get it. Hopefully they’ll close this loophole soon – otherwise people might start switching mobile provider.

[UPDATE 12.10pm 25/01/12] – We contacted the Information Commissioner’s Office (ICO) about this, which makes sure companies adhere to data privacy laws in the UK, and it sent us this statement:

‘Keeping people’s personal information secure is a fundamental principle that sits at the heart of the Data Protection Act and the Privacy and Electronic Communications Regulations. When people visit a website via their mobile phone they would not expect their number to be made available to that website.

‘We will now speak to O2 to remind them of their data breach notification obligations, and to better understand what has happened, before we decide how to proceed.’

[UPDATE 3.45PM 25/01/12] – O2 has confirmed that it has fixed the problem, releasing the following statement along with an online Q&A:

‘Security is of the utmost importance to us and we take the protection of our customers’ data extremely seriously.

‘We have seen the report published this morning suggesting the potential for disclosure of customers’ mobile phone numbers to website owners.

‘We investigated, identified and fixed it this afternoon. We would like to apologise for the concern we have caused.’

Simon Parkyn says:
25 January 2012

I’ve just checked my phone on Lewis Peckover’s website above and yes my number was displayed in the headers. I’m on giffgaff and I’m quite annoyed!


Yes, it seems O2’s subsids GiffGaff and Tesco Mobile are affected. GiffGaff has told us on Twitter that they are also investigating.


Same here Simon – GiffGaff runs on the O2 network, so it is clearly added at some point in the chain when they both converge. I have been heretofore very pleased with both O2 and GiffGaff, so I’m quite disappointed to see such a blatant disregard for my privacy.


Hi folks,

I’m Craig from the giffgaff community team. As Patrick has said, we’ve been made aware of this and wanted to update you with some news from our side.

The privacy and security of our customers and community are really, really important to us – our utmost concern in fact. As a result, we’re looking into this as a top priority. Initial impressions are that this appears to be an O2 network issue, but of course we’ll need to confirm this.

If you’d like to keep a track of this on our side of things, we’ll be updating and discussing on our community this thread fgaff.com/t5/Service-Updates-Notice-board/Mobile-Number-Information-Issue-25-01-11/m-p/2854061/highlight/false#M25550) – and be back with news there as soon as we have info.

Many thanks,



Just checked on O2 and no number appears on either iPhone or iPad.


It appears to be only effecting users who are using the wap.o2.co.uk APN to access the internet. Changing these details to mobile.o2.co.uk and the username to o2web rather than o2wap will stop addition of the extra headers.

The iPhone 4S and the Galaxy Nexus both seem to default to these APNs which is why some users haven’t been seeing the issue.

It also seems that a number of o2 services only require phone number for security as detailed on http://blog.networksaremadeofstring.co.uk/2012/01/25/potential-social-engineering-avenues-resulting-from-the-o2-header-issues/ which could lead may scams against phone owners who don’t know about this leak.

Steve says:
25 January 2012

It appears to be more complicated than that.

My phone number is being passed to websites and my iPhone 4 APN is set to use idata.o2.co.uk

mister squirrel says:
25 January 2012

For once I am glad to say thank god I’m using BlackBerry as the O2 number giving out doesn’t affect BlackBerry users (I don’t say “thank god I’m using a BlackBerry” that often)


Hi everyone, it looks like O2 has closed this loophole, though we’ll let you know as soon as O2 confirms it’s fixed.


Hope so. That’s a quick win if it works.


Does closing this loophole also including fixing their services that only require your phone number to work?

I wonder if other providers in-house services work the same way as well…


We contacted the ICO again about whether a phone number is considered personally identifiable information and thus would be in breach of the Data Protection Act. It told us:

‘In terms of this alleged breach, O2 seem to have mistakenly exposed people’s phone numbers. As they are legally required under the Data Protection Act to keep people’s details secure (of which people’s phone numbers are a component of customer information), then this could breach Data Protection and PECR rules.

‘As for whether a phone number in itself constitutes personal data – this depends on the circumstances, and we can’t say in this case until we have looked into it.

‘If a phone number was written on its own on a post it note with no other details and then discarded in the street then this may not be strictly personal data. However, if a phone number is coupled with other information – for instance IP addresses – then this may constitute it. In any case, the essential issue here is whether O2 has kept its customer information secure. In short, it’s not as simple as a yes or no answer and depends on the individual circumstances.’


That is very interesting, because by definition your IP address is part of the request sent to any site you are accessing, strengthening the ICO case.

Also, this information is also sent to any sites who’s content is embeded in a page you are viewing. If you go to a page that has an advert in it which comes from another site, the advert provider gets the same information.