The write-up is more charitable when it comes to the possible reason why this may be happening. The specific quote: " Our suspicion is that the feature is used by internal O2 websites to identify the user trying to make changes to the account, but that one or more of O2's proxy servers have been misconfigured."
x-up-calling-line-id (and similar headers from other gateway vendors) are typically not meant to be sent in the clear beyond internal sites. Perhaps a certain set/class of URL ACLs were (mis)configured during a maintenance window that caused this to happen.
Similar to how websites leave cookies, carriers have always had the ability to send certain identifying information to external sites. Usually, such identifying information is munged in some way that doesn't make it possible to determine the mobile number of the subscriber.
The funny thing is that people are often surprisingly willing to provide their phone number on more and more sites, which then makes it trivial for such services to link the anonymized identifier with the actual mobile number.
Regarding the customer support folks, it's highly unlikely that they know anything about HTTP headers, since they are typically level 1 support. This type of query/complaint would be filtered up to level 2 or 3 usually quite quickly once enough customers start calling in, or if somebody happens to be reading certain media outlets (e.g. HN).
Some tweets claim it isn't happening for them any more so maybe this was a mistake being fixed?
However, amusing it's a honest mistake being fixed, this still SHOULD NOT HAPPEN in the first place. Companies dealing with personal data need to be more careful when the ramifications of "honest mistakes" can be so serious. It's right that people are making a fuss about this and pressuring O2 to fix this.
> The funny thing is that people are often surprisingly willing to provide their phone number on more and more sites, which then makes it trivial for such services to link the anonymized identifier with the actual mobile number.