The Information Commissioner's Office is to contact O2 about a possible breach of the Data Protection Act, after the network has been accused of sharing thousands of users' numbers with every website they visit.
Twitter user Lewis Peckover discovered the flaw on January 24 and set up a website which shows the information that O2 is giving to every website a customer visits - this information includes the users' phone numbers.
The ICO told the International Business Times UK: "Keeping people's personal information secure is a fundamental principle that sits at the heart of the Data Protection Act and the Privacy and Electronic Communications Regulations. When people visit a website via their mobile phone they would not expect their number to be made available to that website.
"We will now speak to O2 to remind them of their data breach notification obligations, and to better understand what has happened, before we decide how to proceed."
The website created by Peckover is running a basic script which displays the information - known as headers - that the website receives when it is accessed. From a Vodafone the mobile number was not shown, but when accessed by an iPhone on O2, the International Business Times UK found that the phone number appeared.
The security flaw could lead to criminals easily gathering phone numbers for use in a phishing scam.
It is not yet known if the problem is in breach of O2 customers' contracts, but reports from customers have suggested that O2 are to offer compensation to any customer who is affected by this problem and follows O2's formal complaints process - although proving that you're number has been shared with a website might be difficult.