UPDATED 9:38 A.M. PST by Mike Isaac with most recent information
In an network maintenance snafu of epic proportions, customers of a European cellular network have had their private data exposed to web sites visited from their smartphones. The security breach lasted for more than two weeks before it was fixed today.
A flurry of reports from mobile customers in the United Kingdom spread across Twitter on Wednesday morning after mobile developer Lewis Peckover discovered a security flaw in devices carried by European mobile network O2. After O2 performed routine maintenance on its network earlier this month, some users' cell phones inadvertently began sending their owners' phone numbers to web sites that were visited using mobile browsers over a 3G/WAP connection.
Numbers were not sent, however, when users browsed sites via Wi-Fi.
It's a significant breach of customer privacy, as the breached phone numbers could potentially be mined for SMS spam, to send premium rate texts, and for other hacks that exploit cell phone numbers.
The security breach comes on the heels of a particularly sensitive year for mobile device security. Last April, a software bug in Apple iPhones (running iOS 3.2 and above) logged users' location data in unencrypted files stored on the phones themselves. This raised the hackles of millions of customers as the story spread almost instaneously. And as recently as last month, phone-monitoring software maker Carrier IQ revealed that its data-tracking program was already installed on countless phones across the country, again raising concerns from mobile customers as well as the larger privacy watchdog community.
O2 acknowledged and admitted to the breach of customer privacy in a statement issued on Wednesday, claiming the issue has been fixed.
"In between the 10th of January and 1400 Wednesday 25th of January...there has been the potential for disclosure of customers’ mobile phone numbers to further website owners," O2's statement read. "It was fixed as of 1400 on Wednesday 25th January 2012."
The office of the Information Commissioner -- a public U.K. body that enforces and oversees activity pertaining to the Data Protection Act of 1998, among other legislation pertaining to information security -- is currently investigating the matter.
"When people visit a website via their mobile phone they would not expect their number to be made available to that website," the ICO said in a statement issued Wednesday. "We will now speak to O2 to remind them of their data breach notification obligations, and to better understand what has happened, before we decide how to proceed."
O2 says it is "co-operating fully" with the ICO, and is also in contact with Ofcom, an independent regulator for the United Kingdom's communications industry.
As O2's mistake is only just being realized by the mobile subscriber customer base, the repercussions of the breach are not yet clear.
With additional reporting by Mike Isaac
