O2 UK has admitted that a security breach allowed third-party websites to capture the mobile phone numbers of users browsing the Internet via its network for two weeks this month.

The Telefonica-owned operator revealed in a statement that “technical changes we implemented as part of routine maintenance had the unintended effect of making it possible in certain circumstances for website owners to see the mobile numbers of those browsing their site.”

It said the problem lasted from 10 January until it was fixed yesterday after a software engineer at a mobile gaming firm raised the issue.

The security breach meant that website owners would have been able to capture the mobile numbers and re-use them for telephone and SMS marketing purposes – potentially in breach of the Data Protection Act. O2 says it is “co-operating fully” with the UK’s Information Commissioner's office, which is investigating the matter.  

“Security is of the utmost importance to us and we take the protection of our customers’ data extremely seriously,” O2 said. “We would like to apologise for the concern we have caused.”

The operator said that, under normal circumstances, mobile numbers are only shared “where absolutely required by trusted partners who work with us on age verification, premium content billing, such as for downloads, and O2's own services.”