O2 could face a fine of up to £500,000 if it is found in breach of the Data Protection Act after sharing its customers’ phone numbers with the websites they visited.
The Information Commissioner’s Office (ICO) posted a note on its website requesting that consumers stop submitting complaints about the recent privacy breach as it had been so inundated with queries.
After the problem was discovered, O2 apologised for ‘the concern’ it had caused and blamed it on technical changes it had made as part of routine maintenance. The breach occurred between 10-25 January. The operator came in for heavy criticism from customers when the flaw was uncovered by a web systems administrator who set up a test to display the information sent to a website when visited on a mobile phone.
An O2 spokesman told Mobile this week that the security breach was a one-off. He said: ‘We identified the cause of the issue, fixed it, and we’re putting in place measures to ensure it doesn’t happen again.’
A spokeswoman for the Information Commissioner told Mobile its investigation would last for several weeks but could take even longer depending on the complexity of the case. She said: ‘We understood it was a high profile issue so got to work on it straight away… It’s clearly something that has affected a large number of people and it’s clearly something the public is concerned about so we are looking into it urgently.’
The spokeswoman said the Information Commissioner would not discuss how severe the breach was until the investigation had been completed. However, when asked what potential penalties O2 could face if found guilty, she said it could receive a fine of up to £500,000.
The ICO spokeswoman claimed this was the first instance of this type of data breach. The last serious loss of data from a mobile operator was in 2008, when T-Mobile discovered that two former employees had stolen and sold customer information. The men were later ordered to pay fines and confiscation costs of £73,700 after an investigation by the ICO.
Rival operators described it as ‘cock-up rather than conspiracy’ and stressed that they did not share mobile numbers with websites when their customers were browsing the internet on their phones.
Vodafone’s head of corporate responsibility Libby Pritchard said the only time the operator would share mobile numbers is with companies that offer services which are billed through a mobile or require a mobile in order to function, such as ringtone suppliers. She said: ‘These companies are approved Vodafone UK partners, and are subject to security checks to ensure they conform to our stringent requirements around protecting our customers’ privacy.’
Ovum senior research analyst Andy Kellett said: ‘The thing that is particularly worrying is the length of time that the breach happened for. [Just over two weeks] is a long time for people to be collecting data without you having any knowledge of them doing so. Another thing that would be worrying is that O2 did not have the systems in place to notice that this was happening.’