Risk: Informational
A serious breach on O2's website enabled small business users to view other users' call records.
O2 operates a Bill Manager website that its customers can log into to check their call history; a coding error meant that any user with a valid log-on could view other users' call records. Using the loophole in the site, it would have been possible to write a script to extract a list of mobile phone numbers assigned to particular firms, along with details of the calls made using those numbers over the last three months. According to the O2 user who discovered the breach, in most cases, the name and department of the person making calls was also readily available. Within an hour of the breach being reported, access to the site was suspended.
It may have been possible to use social engineering techniques to send named individuals SMS spam or make multiple nuisance calls, although this does not appear to have happened.
O2 issued a statement about the security breach: "Bill Manager, O2's online bill viewing service, has been taken offline temporarily due to an isolated incident that raised security concerns. O2 took immediate action to shut down access to the site to ensure no risk to our customers' security while we add additional security features. It is important to note that this was a one off incident and no financial details were exposed. We would also like to reassure customers that their bills are unaffected."