Mobile World Congress: Did the mainstream media notice?

I resolved this year to make sure...

NordVPN: Thanks again, Revolut

When I upgraded to Revolut's Ultra offering,...

Revolut’s Roaming eSIM: 1 week later

This week I have been using Revolut's...

Watch how this one plays out: o2 sending mobile numbers to every website you visit

There’s a mini firestorm brewing this morning around o2 UK. Earlier this morning, Matt Brian over at The Next Web broke the story about a ridiculously shocking privacy breach by o2.

Here’s a bit of Matt’s story:

If you reside in the UK and you are one of the millions of subscribers to mobile operator O2, you may be alarmed to learn that the carrier is sending your mobile number to every website you visit on your mobile phone.

The issue was brought to our attention by Lewis Peckover, who created a simple webpage to check the information that a mobile browser would send to a website when it requested data.

The story is still developing, however it’s clear that o2 has been passing your phone number to every website you visit. It’s passed in the headers — which most sites will ignore. Indeed, if your server isn’t looking for the field, then it’ll simply ignore it.

This is clearly a mistake and certainly not normal practice. If anything, I suspect it’s a misconfiguration or a standard configuration on a particular server, gateway or system at o2.

o2 will be horrified.

It’s going to be fascinating to see how they handle this. People are still hugely attached to their perceived privacy and the knowledge that every website you’ve visited via your phone could have retrieved your phone number will be massively discomforting.

The real problem is if the mainstream media pick it up. It looks like a bit of a slow news day — and it’s a terribly sexy issue, this, especially in the context of phone hacking. The headlines boiled down will make highly frustrating reading. I wouldn’t be surprised to see headlines like, “o2 exposes your phone number to every website” or “o2 gives your phone number to spammers” appearing shortly in the mainstream press.

o2 need to respond very, very quickly. I think they’ve got until midday to deliver a formal response. It’s 11am now. After midday the story could potentially gravitate from a Twitter firestorm into mainstream consciousness.

Can you imagine the implications of an adult website claiming that [insert famous person here] has visited their site 100 times in the last 2 days — and they’ve got the logs to prove it? Ooof!

What should o2 do?

Well I think that depends on how the media treat the issue. If it’s picked up by the Daily Mail anywhere near their front page, then they’ll need a mega response. Definitely.

Normal mobile users on o2 reading the story will go nuts. Folk will want to do something in response to the perceived privacy invasion, even if it didn’t actually affect them. The first instinct will be to cancel the line and churn to another network. The next instinct will be some kind of recompense — a free credit, some extra text messages or something like that. Quite possibly legions of users will demand that their phone numbers be changed.

Goodness me. It’s a bit of a mess.

There’s not much o2 can do, I don’t think, that would appease me as a normal user. I’d probably react very, very negatively to a £5 credit offer (“Is that what my privacy is worth?”).

The underlying issue here is the break down of trust that many o2 consumers will feel when they read the news. I think o2 should act decisively, positively — and if anything, they should over-react. Do everything. Offer everything. And put the CEO or a C-Level executive on camera right-away to speak to the media.

Of course we’re going to want to know how long this flaw has been live on the o2 systems; how many users have been potentially compromised and so on. That could take days to determine. So an immediate response is required now and then hourly updates should be issued throughout today and, say, tomorrow, until all the information is in o2’s hands.

We shall see.

If anyone can handle this kind of challenge, it’s o2. The team there are seriously capable. If anything, I think they could possibly use this as an opportunity to engage brilliantly with their customers and boost loyalty even more.

Bring it on, o2!

Update: Matt is back with a related post — How O2 could unwittingly help spammers conduct a nasty phishing campaign that’s worth a read.

Update 2: o2 has posted a public announcement on the matter (thanks Adrian)


  1. Good luck o2. You’re going to need it..

    Seriously though, I don’t see why a mobile ISP should feel they have the right to alter HTTP produced on my device just because it goes through their network. Replacing image links to downscaled copies and inserting JS into pages is a shithead’s activity.

  2. Well…. Yet more proof that O2 are screw ups. In my eyes, their customer service advisors know very little when try’na sort out account issues. In past experience it’s the most un relable UK network. I’ve axed my PAYG account I opened with them last September [to have the international bolt on, irish phone number bolt on] ‘cos all they & the system did was screw up. This just proves that they are careless. Glad they are not my main provider!

  3. One of the interesting outcomes of this of course is that O2 have done nothing that we, as consumers, have already agreed to as it it all contained within the T&C’s of the contract that none of us ever really bother reading. Additionally, what has happened is not illegal as they have not, under the terms of various Data Privacy legislation, actually broken any rules. 

    I do wonder though how many of their 25m+ subscribers actually care or is this once again a tech storm in a teacup? Of course, for the technorati, the media (I have no doubt that Charles Arthur will write about it) and those on the far right of privacy, it is a PR disaster. I am now of course wondering if Vodafone, with whom I have my company contract as well as all my personal devices, do the same!

  4. Who are better at CS in the mobile space then?  I’ve not dealt with T-Mobile, Orange were great when I was with them, Vodafone & Three SUCK BIG TIME.  I’ve always found O2 to be pleasant to deal with.


Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Recently Published

Mobile World Congress: Did the mainstream media notice?

I resolved this year to make sure I wrote something - anything - about Mobile World Congress, the huge mobile industry trade show taking...

NordVPN: Thanks again, Revolut

When I upgraded to Revolut's Ultra offering, I did so with a strong focus on the Financial Times digital subscription which normally retails at...

Revolut’s Roaming eSIM: 1 week later

This week I have been using Revolut's new eSIM capability whilst I was in Sweden for Stockholm FinTech Week. I'm an Ultra subscriber so...

Revolut launches in-app eSIM service; includes 3GB data roaming for Ultra customers

Well now, leave it to the team at Revolut to actually do some innovating in financial services. The news broke this morning that Revolut...

Samsung SGH-E700… now with Android?

Imagine my sudden, unexpected excitement when I saw this email and subject in my inbox this morning: "OMG," I thought. "Have they actually done...

Why you need GadgetsOman (or similar) in your life

About four days ago I got a familiar WhatsApp message from the team at GadgetsOman. It was just a day or so after the...