
A misconfiguration in the software supporting VoLTE functionality allowed for the tracking of the physical location of tens of millions of users of the British telecommunications provider Virgin Media O2—including customers of Giffgaff and Tesco Mobile, who share the same network infrastructure.
The vulnerability remained undetected until it was disclosed by engineer Dan Williams, who subsequently reported the issue to the UK’s Information Commissioner’s Office (ICO) and the communications regulator, Ofcom.
The flaw affected all devices with active 4G calling enabled. Any user possessing a Virgin Media O2 SIM card could access technical call identifiers—such as location area codes and cell IDs—and use this data to determine which base station the called party was connected to. In densely populated urban areas, where cell towers are tightly clustered, the accuracy of this geolocation could reach within 100 square meters.
Williams stated that he initially notified the operator in March but received no response until he published a blog post in May. He expressed disappointment in the company’s handling of the issue, emphasizing that his intent was to safeguard user privacy—not to confront the provider.
Virgin Media O2 responded that the flaw was promptly rectified upon notification, adding that exploiting the vulnerability required a certain degree of technical expertise. The operator acknowledged that the issue may have existed since the software’s deployment in 2023, though it declined to specify the exact duration of the exposure.
The company emphasized that customers need take no action, and there was no evidence the vulnerability had been exploited beyond the technical demonstration shared in the researcher’s blog. Representatives also clarified that no external network compromise had occurred and that all exposed data remained confined within the internal infrastructure.
To illustrate the severity of the risk, Williams conducted a controlled experiment: with the help of a volunteer—an O2 subscriber—he was able to pinpoint their approximate location in central Copenhagen. He noted that disabling 4G calling could mitigate the threat, but on certain devices, including iPhones, such an option is not available.
Giffgaff, which also operates on the Virgin Media O2 network, declined to comment. Tesco Mobile, whose customers may likewise have been affected, did not respond to inquiries.
Ofcom confirmed that it is investigating the incident and has requested a detailed explanation from the operator regarding the root cause and broader implications of the issue. The ICO stated that, after reviewing the circumstances and the remediation steps taken, it does not intend to pursue further action at this time.