It is, however, a data breach, triggering the requirement for them to report it to the regulator immediately or get fined, etc etc (if such rules exist in the UK)
I suppose even if O2 isn't in EU jurisdiction they could apply pressure since the example showed a Denmark customer being impacted. Maybe that telco in Denmark can't peer with O2 if O2 can't secure their EU customers data.