O2 Data Breach: customers are best testers

UK mobile operator O2 found themselves in trouble last week, when it was discovered they automatically sent the user’s telephone number to any website they visited. Any. The problem is fixed now, but the error that caused the privacy violation was created on January 10th and remained uncorrected until January 25th, according to O2’s blog. Whilst O2 were quick to resolve the issue once they had become aware of it, the most important lesson learned (we can only hope it is learned this time) is that customers have become adept at spotting the mistakes not caught by the operator’s formal testing. Lewis Peckover, a system administrator at a mobile gaming company, not only found the problem, but helpfully shared it with the world, writing a script so anyone could check if their O2 phone was broadcasting their number. You can see his script page here.

A knee-jerk reaction might be to demand more controls, more testing, more whatever. Without knowing how O2 works, I would not like to comment. Mistakes happen and will keep on happening; a demand for more and more controls can only lead us in ever decreasing circles. My reaction to this incident is quite different. First, O2 reacted quickly. That is important. Agility demonstrates concern and limits risk. Second, they were transparent. They did not keep quiet and hope the problem would disappear. Instead, they were proactive in talking to customers, press and regulators. This also limits the eventual damage done. Third, all telcos could benefit from making it easy for customers to give them information, and being responsive when acting upon it. It was easy for Lewis Peckover to tell the whole world about O2’s bug. O2 got the message, but they got it via a public route. If the same information had been passed to them privately, and if they responded as rapidly, no more harm would have been done to customers, but less harm would have been done to O2’s reputation. Customers can and will keep finding flaws, and the internet makes it easy for them to share them publicly. As with Facebook’s bug bounty, telcos can get error-spotting customers to work for the telco, not against the telco. Trying to avoid mistakes is obviously important and deserves the investment of time and effort. However, a tiny investment in helping customers to help the business means the issues can be resolved quickly and quietly – thus generating a positive return for the firm.

Eric Priezkalns
Eric Priezkalns
Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Chief Executive of the Risk & Assurance Group (RAG), a global association of professionals working in risk management and business assurance for communications providers.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.