Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

> Attempts were made to reach out to O2 via email (to both Lutz Schüler, CEO and securityincidents@virginmedia.co.uk) on the 26 and 27 March 2025 reporting this behaviour and privacy risk, but I have yet to get any response or see any change in the behaviour.

This is really poor. And why is a Virgin Media address the closest best thing here? https://www.o2.co.uk/.well-known/security.txt should 200, not 404.

To be clear, I have no problem with disclosure in these circumstances given the inaction, but I'm left wondering if this is the sort of thing that NCSC would pick up under some circumstances (and may have better luck communicating with the org)?



This one is actually on us. The email contacted was actually @virginmediao2.co.uk, not @virginmedia.co.uk. It's a typo in the article.

I'll update it with a correction.


I have spotted another error:

> is within LAC 0x1003 (decimal: 4009)

It should be decimal 4099.


How did you spot that?


When you’ve been working with computers for long enough, the powers of 2 live in your head… and there’s no way 0x1000 is less than 4096 :)


I did the conversion in my head as I was reading.


Oops. Thanks.


There are several email addresses listed in the privacy policy (a GDPR requirement). Maybe somebody is listening there. E.g. DPO@o2.com

https://www.o2.co.uk/termsandconditions/privacy-policy


You could file an SAR with them to find out what they’re doing internally with anything with your name linked to it. Might also be preemptively contacting https://www.openrightsgroup.org/ to get the narrative on your side, in case they come knocking with the CMA.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: