All mobile operators in the UK provide access to the end user's MSISDN, either via injecting a header or via a reverse IP API call (which gets around the SSL issue). In the UK mobile billing is highly regulated by Ofcom and PhonePayPlus, so only a small number of companies are allowed direct access to the end user's MSISDN. The relevant headers are only added to requests made to approved URLs; I don't believe O2 adding it to every request in 2012 was intentional.

To get around this a number of companies provide services that anonymise the MSISDN, so you can get a unique ID for end users the same as the Verizon header works. I don't know whether this is used by an advertising network or for cross promotion, but I would be highly surprised if it wasn't. Given one of the main proponents of mobile billing are the adult entertainment and gambling industries, I wouldn't put it past them to not have shady business practices like this.

Also Three and O2 are completely separate companies, O2 has a number of MVNOs of which Tesco is one.

(I used to work for a telecom services company in the UK)

My understanding about O2 was that it was a misconfigured proxy - they usually send your mobile number as a header to some internal sites (for example, you can check your pay-and-go account balance without logging in, IIRC), but managed to misconfigure it so it sent your number everywhere. They removed it ASAP, not putting up any sort of fight, so I suspect that's truly the case.

An article on the subject, from the same source: http://www.theregister.co.uk/2012/01/25/o2_number_sharing/