O2 has been accused of exposing the phone numbers of customers who browse the internet using its mobile data.
Lewis Peckover, a system administrator for a mobile gaming company, said that he was "absolutely shocked" to discover the issue.
The Information Commissioner's Office said that it would speak to O2 "to better understand what has happened".
In a statement O2 said: "We are investigating and we'll update as soon as we can."
According to Mr Peckover, when a user connects to a webpage using mobile data, information is passed to the site including the mobile phone number.
Mr Peckover told the BBC that he made the discovery yesterday.
"We found that whenever you visit any website, O2 are sending your plain text easy-to-read, easy-to-capture, full mobile phone number to every site you visit."
To demonstrate the flaw, he set upan online scriptwhich allows users to see if their number is revealed.
"I've also tested it on four or five other sites," he told the BBC.
He said feedback he had received suggested that many, but not all, O2 customers were affected.
"It's not every O2 phone. Mostly it's people saying, yes it is affecting them, but there have been a couple saying they are unaffected."
So far users of Mr Peckover's site have not found that the problem affects other phone companies.
Mr Peckover told the BBC he would be making a formal complaint to the Information Commissioner's Office about the issue.
"I don't want sites to match up all my requests and potentially call me and talk to me about them," he said.
The Information Commissioner's Office told the BBC: "When people visit a website via their mobile phone they would not expect their number to be made available to that website.
"We will now speak to O2 to remind them of their data breach notification obligations, and to better understand what has happened, before we decide how to proceed."
One business owner who checked his servers' logs told the BBC that he had discovered that they contained hundreds of mobile phone numbers.
Nick Halstead, of Tweetmeme, said that he was concerned that advertisers could make use of the information.
"This would be very valuable to them. I think it's a matter of massive concern," he said.
"They could now know not just your phone number, but all the websites that you visit, and so target you."
News of the discovery spread rapidly on Twitter.
One Twitter user wrote: "I'm outraged this even happened. @O2 need to both fix this quick, AND explain why they decided to volunteer our numbers in the first place."
Another tweeted: "Woah - @O2 users' mobile numbers are being beamed to every website - and ad server - they access? That's... not good."
The @O2 account said looking into the matter was the firm's "top priority".
One researcher said that he had been aware that this could happen for some time.
Like Mr Peckover, Colin Mulliner wrote a script which allowed users to check what information their phones disclosed.
"I first talked about this publicly in March 2010. This is happening for sure," the PhD student at the Technische Universitaet Berlin told the BBC.