O2 notifies data cops 'for courtesy' ... AFTER El Reg intervenes in email phish dustup

Suggests customers must have lost their own data

Paul Winchell and dummy

O2 has denied that it's suffered a serious data breach after customers began receiving sophisticated phishing emails that appeared to have been sent by the mobile operator late last month.

It was claimed by subscribers that the body of the email included their name, email address, and date of birth. The dodgy messages about VAT also contained details of the O2 customers' data plans and monthly payments, they claimed.

Reg reader Mike, who first alerted us to the scam, told us:

"O2 are saying it's a 'phishing email' and that 'no data has been compromised', which seems rather odd as there's no way that amount of data could or should be publicly available. I suspect a very detailed data breach in O2."

However, when we put those allegations to O2, it dismissed the claims.

We also asked the mobe carrier if it had contacted the UK's data watchdog about the phishing scam. But it hadn't got in touch with the Information Commissioner's Office - that is, not until after El Reg flagged up the potential data breach to O2.

"Whilst there’s no evidence that the information came from O2, we’ve notified the ICO out of courtesy," a spokeswoman at the company now tells us.

The ICO had earlier stated:

We haven’t received a report from O2 about this issue. We also haven’t received any complaints from their customers.

The regulator added:

If a person is concerned about O2’s handling of their data we’d advise them to raise their concerns with O2 in the first instance. If they are not satisfied with the organisation’s response then they can make a complaint to our office.

O2 customers continue to complain about the scam on a forum thread that currently runs to 31 pages. Reg reader Mike added that the firm had issued a flat denial that it was responsible for any subscriber data being leaked.

In a canned statement to El Reg, O2 appeared to be squarely pointing the finger at its customers. It said:

We investigated this phishing scam and found no evidence of customer information coming from O2. We believe the scammers gathered the information from other sources in an attempt to make the phishing email as authentic as possible.

Sources of information can include a compromise of the user’s computer/laptop (e.g. via the inadvertent loading of key loggers / other malware). This information can then be used by the scammers in targeted phishing emails to make the user think they are genuinely sent from the originator because it appears to contain accurate information to the user.

O2's phishing gripes come just months after BT-owned ISP Plusnet faced similar claims from its customers after their email accounts were compromised by spammers.

In that particular instance, the ICO told us in December that it was mulling over opening up a data breach investigation into Plusnet's handling of subscriber info.

The watchdog confirmed to El Reg on Monday that the Plusnet case was "still ongoing". ®

Sponsored: Becoming a Pragmatic Security Leader

Biting the hand that feeds IT © 1998–2019