O2 data breach: why we should all be worried

O2 data breach: why we should all be worried
Time to keep a closer eye on what we do with our data

The news O2 has been leaking user information all over the internet is cause for concern - and not just for its customers.

It highlights a much bigger issue: that most people have no idea what info is being unveiled when browsing the web and it can, on occasion, be exploited.

Let's put this in perspective though - only when these loopholes are exposed and the mandatory public outcry of 'but won't anyone think of the CHILDREN' is uttered do they come to light. Just because it sometimes can be exploited certainly doesn't mean it will be.

Not the first time

But this isn't a new scenario - far from it, big brands have been (erroneously or otherwise) been giving up info they shouldn't for years.

In 2006 Google was found to be exposing full contact lists of Gmail users - it swiftly plugged the hole and issued a note 'thanking' the internet for bringing the issue to its attention.

And just under two years ago, Orange UK was shown to be doing the same thing O2 is accused of today - revealing personal numbers in website code sent to servers when browsing the web.

web data leak

Both companies have obviously plugged the leak, and O2 is now blaming today's problem on an errant routine maintenance upgrade, again highlighting that delivering such data is never a pre-planned idea by a company.

Where's my data gone?

However, it does raise a much bigger issue about what companies like O2 can do with our data. In a Q&A to explain the data leak, there was a telling paragraph:

"When you browse from an O2 mobile, we add the user's mobile number to this technical information, but only with certain trusted partners. This is standard industry practice.

We share mobile numbers with selected trusted partners for 3 reasons: 1) to manage age verification, which manages access to adult content, 2) to enable third party content partners to bill for premium content such as downloads or ring tones that the customer has purchased 3) to identify customers using O2 services, such as My O2 and Priority Moments."

What does this mean for the 'normal' user who is only now becoming aware that their data could be sent to places they weren't aware? Well, a trip down O2's T's & C's makes for some pretty hairy reading.

You can read it all here but to summarise, O2 can send your location data, calling records, and other forms of communication to 'selected third parties' as specified by O2, with no obvious way of finding out what these are. To stop them, you'll need to write to the network (or call in the case of location data) - which is quite the rigmarole for any normal user.

However, it's absolutely key to state that O2 is completely within its rights to do so here, as stated by the Information Commissioner, and is by far not the only network to do so.

And to further add confusion to the mix: the Information Commissioner's Office, which deals with all matters of data privacy, is seemingly unable to decide whether mobile phone numbers combined with web browsing history constitutes a privacy breach.

TechRadar was told that a mobile phone number alone isn't information that can personally identify an individual, although page 5 of the 'What is personal data?' guide clearly states:

"Does the data impact or have the potential to impact on an individual, whether in a personal, family, business or professional capacity? If Yes, then the data is 'personal data' for the purposes of the DPA."

Surely web history plus a mobile phone number is enough to create an impact? What if a person browsing adult content was constantly called or texted on the subject and the spouse picked up the handset?

The upshot of today's data dealings is pretty simple: all users should be aware that a great amount of data is held by phone networks, and it's pretty easy to expose certain elements of that due to human error.

O2, like all companies that slip up with data, should be held accountable for its mistake over the past few weeks, but it's unlikely to face any punishment unless an investigation is launched so users won't be able to seek compensation for the potential data leakage.

The simple answer: always read the terms and conditions of any service you'll be using regularly (even if it does take a while) if you don't want any surprises over what happens to your info... it sounds obvious but most companies won't assume you want to keep every little thing private and you'll be that little bit safer when the next data leak occurs.

Gareth Beavis
Formerly Global Editor in Chief

Gareth has been part of the consumer technology world in a career spanning three decades. He started life as a staff writer on the fledgling TechRadar, and has grown with the site (primarily as phones, tablets and wearables editor) until becoming Global Editor in Chief in 2018. Gareth has written over 4,000 articles for TechRadar, has contributed expert insight to a number of other publications, chaired panels on zeitgeist technologies, presented at the Gadget Show Live as well as representing the brand on TV and radio for multiple channels including Sky, BBC, ITV and Al-Jazeera. Passionate about fitness, he can bore anyone rigid about stress management, sleep tracking, heart rate variance as well as bemoaning something about the latest iPhone, Galaxy or OLED TV.