O2 has fixed a bug in the way it handles mobile broadband traffic that saw its customers unwittingly exposing their mobile phone numbers to website owners.
The operator apologised for the apparent glitch on Wednesday, saying it had been caused by technical changes made during routine maintenance. O2 said the leaking of the phone numbers only took place over a two-week period, ending on Wednesday afternoon.
"Every time you browse a website (via mobile or desktop), certain technical information about the machine you are using, is passed to website owners," O2 said in a blog post. "This happens across the internet, and enables website owners to optimise the site you see. When you browse from an O2 mobile, we add the user's mobile number to this technical information, but only with certain trusted partners."
"In between 10 January and 2pm [on] Wednesday 25 January, in addition to the usual trusted partners, there has been the potential for disclosure of customers' mobile phone numbers to further website owners," the operator admitted, stressing that this would only have taken place over 3G and WAP connections, not Wi-Fi.
The phone numbers were being included in the HTTP headers used in establishing browsing sessions between customers' phones and websites' servers, as systems administrator and O2 customer Lewis Peckover discovered on Tuesday.
Peckover explained his findings in a post that included a script telling readers browsing from phones whether their phone numbers were being transmitted to him. Many numbers were being exposed, taking the issue viral and leading the Information Commissioner's Office to say it would talk to O2 about the breach.
In its blog post on Wednesday, O2 insisted that "security is of the utmost importance to us and we take the protection of our customers' data extremely seriously".
O2 did not explain precisely which 'trusted partners' were supposed to be shown customers' phone numbers, but it said the "sharing" of these numbers took place for three reasons: to manage age verification; to let third-party content partners bill the customer for premium content; and to "identify customers using O2 services, such as My O2 and Priority Moments".
Crucially, O2 claimed that the websites being accidentally sent the phone numbers would not be able to link it to any other identifying information — if such correlation were possible, that would likely be a breach of the Data Protection Act.
"We are in contact with the Information Commissioner's office, and we will be co-operating fully. We have also contacted Ofcom," O2 noted.