Comment by lol768

Comment by lol768 a day ago

8 replies

View on Hacker News

> Attempts were made to reach out to O2 via email (to both Lutz Schüler, CEO and securityincidents@virginmedia.co.uk) on the 26 and 27 March 2025 reporting this behaviour and privacy risk, but I have yet to get any response or see any change in the behaviour.

This is really poor. And why is a Virgin Media address the closest best thing here? https://www.o2.co.uk/.well-known/security.txt should 200, not 404.

To be clear, I have no problem with disclosure in these circumstances given the inaction, but I'm left wondering if this is the sort of thing that NCSC would pick up under some circumstances (and may have better luck communicating with the org)?

mrjeeves a day ago

This one is actually on us. The email contacted was actually @virginmediao2.co.uk, not @virginmedia.co.uk. It's a typo in the article.

I'll update it with a correction.

Reply View 5 replies
  • Mr_Minderbinder 18 hours ago

    I have spotted another error:

    > is within LAC 0x1003 (decimal: 4009)

    It should be decimal 4099.

    Reply View 4 replies
    • porridgeraisin 16 hours ago

      How did you spot that?

      Reply View 2 replies
      • jaoane 15 hours ago

        When you’ve been working with computers for long enough, the powers of 2 live in your head… and there’s no way 0x1000 is less than 4096 :)

        Reply View 0 replies
morsch 16 hours ago

There are several email addresses listed in the privacy policy (a GDPR requirement). Maybe somebody is listening there. E.g. DPO@o2.com

https://www.o2.co.uk/termsandconditions/privacy-policy

Reply View 1 reply
  • madaxe_again 9 hours ago

    You could file an SAR with them to find out what they’re doing internally with anything with your name linked to it. Might also be preemptively contacting https://www.openrightsgroup.org/ to get the narrative on your side, in case they come knocking with the CMA.

    Reply View 0 replies