[morsch]

There are several email addresses listed in the privacy policy (a GDPR requirement). Maybe somebody is listening there. E.g. DPO@o2.com

https://www.o2.co.uk/termsandconditions/privacy-policy

[madaxe_again]

You could file an SAR with them to find out what they’re doing internally with anything with your name linked to it. Might also be preemptively contacting https://www.openrightsgroup.org/ to get the narrative on your side, in case they come knocking with the CMA.