Think your phone number is safe when browsing the web via your mobile? It seems like a logical assumption to make.

But that might not be quite true if you’re an O2 customer.

TheNextWeb received a tip earlier today from someone who noticed that, in addition to sending standard HTTP headers like host, user agent and referrer, O2 was also sending a curious x-up-calling-line-id header. What does it contain? Nothing less than the phone number of the visitor.

The individual who discovered the issue, Lewis Peckover, created a web page through which the apparent flaw can be viewed. In addition to O2, customers on services that rely on O2’s network, including GiffGaff and Tesco Mobile, were also apparently affected. It should be noted that customers using a Wi-Fi connection, and not the mobile network, did not have their phone numbers shared.

The big question, obviously, is why this happened. O2 had responded, saying that it has fixed the issue and that it was caused by “technical changes implemented as part of routine maintenance”. 

The good news is that, according to The Register, the errant header isn’t being sent any more. But the bad news for O2 is that the damage may already be done.

The Information Commissioner’s Office is looking into the matter, with an ICO spokesperson stating, “We will now speak to O2 to remind them of their data breach notification obligations, and to better understand what has happened, before we decide how to proceed.”