O2 investigates security risk allegation

UK mobile operator O2 is investigating claims it is leaking customer data by sending their phone numbers to websites they visit

UK mobile operator O2 is investigating claims it is putting customer security at risk by sending their phone numbers as header information to websites they visit.

In response to thousands of Twitter queries, O2 has said: “It's our top priority - we're investigating this at the moment. Once we've got an update, we'll let you know.”

A test by Computer Weekly earlier today revealed that O2 was still sending phone numbers in the header.

The mobile operator has been bombarded with queries since the apparent breach of customer privacy was revealed earlier this week. The discovery was disclosed by O2 customer and web systems administrator Lewis Peckover, who discovered the security flaw while investigating ways to verify a user is on a mobile device/network.

“If you're on O2's UK mobile network (not ADSL), you'll (probably) see a line beginning with x-up-calling-line-id - followed by your mobile phone number in plain text,” he said in an online posting.

The header data is not normally recorded by a website, but would be visible to a site administrator and could be used for malicious purposes such as spam or phishing.

Peckover tweeted that a similar breach is reportedly affecting users on O2 mobile virtual network operators Tesco Mobile and GiffGaff. No similar security risk has been identified on Vodafone, Everything Everywhere or Three, according to Mobile News.

One Twitter user asked: “How long should @O2 be given to stop disclosing phone numbers in HTTP headers before a mass complaint to ICO?”

Despite the flurry of interest, the problem has been known about for almost two years, according to Graham Cluley, senior technology consultant at security firm Sophos.

“In March 2010, Berlin student Collin Mulliner revealed his discovery at the CanSecWest conference in Vancouver and presented a paper on the topic entitled Privacy Leaks in Mobile Phone Internet Access,” he wrote in a blog post.

“My guess is that it's more likely to be a cock-up than malice which caused this data to be leaked - but what's worse is that the problem is still present almost two years after it was first discovered,” said Cluley.

Read more on IT for leisure and hospitality industry