The top executives of the Dutch telecom operator told NOS earlier this week, precisely on Tuesday, that Odido only found out that hackers had taken over millions of its customers’ personal information and that of telecom provider Ben after the thieves alerted the firm two days later.
Odido’s CEO, Tisha van Lammeren, told NOS that an internal inquiry carried out on the day of the criminal gang ShinyHunters’ attack in early February this year found no evidence of client data theft. For the first time since the hack, Odido’s leadership has discussed the event in public with the members of the press.
ShinyHunters released over 6 million people’s data on the dark web after Odido had declined to pay a ransom. The remark from Van Lammeren had stated that there was a dark day for all of us.
The incident happened after a hacker from ShinyHunters called an Odido customer service representative, posed as a member of the company’s IT department, and duped the worker into logging into a fake and unreal workplace. The employee’s login credentials were then collected by the hacker.
According to Van Lammeren, millions of consumers’ data had already been downloaded in the hour when Odido took the step to stop the hacked account. He also went ahead to state that the speed at which everything happened caught us off guard.
The attack was detected by the company, but the data theft was somehow not noticed. “When the data was downloaded on February 5, no alarm went off,” she stated. After reviewing the digital traces later that day, Odido and an outside cybersecurity company came to the same conclusion: nothing had been taken.
Odido was allegedly taken aback when ShinyHunters phoned the business on February 7 and claimed to have stolen the client data. Van Lammeren responded that the hackers have good techniques for that when asked why the heist went unnoticed. That takes place in the background. And we failed to notice that.
It took weeks to determine the complete scope of the incident. Odido had not realised that business client records had also been stolen until early March, after ShinyHunters had uploaded all the material online. “We assumed it only affected Ben and Odido customers.” Van Lammeren added, “It later turned out that a group of business users were also involved.”
Van Lammeren acknowledged that there was not enough consumer communication within the organization. Several days after the incident, millions of existing and past customers received alerts alerting them to the possibility that their data had been exposed. Odido published material on its website as well; however, there was no follow-up with many updates.
Van Lammeren further told NOS, “Looking back, I think we should have let something be known, also about things you don’t know.” The fact that it has been so silent is something that customers “do hold against us” she stated that the most crucial lesson from the attack is improved communication.
The question of whether Odido kept customer and former customer data longer than allowed and whether it maintained sufficient security on its client systems is still being investigated by two Dutch regulators. It’s unclear when those investigations will be finished, the watchdogs told NOS.
According to Van Lammeren, the company’s goal is to restore confidence. “Because, after all, that is broken. We sincerely apologise to our clients for this incident. It is quite unpleasant.
In light of this, the breach has severely damaged public trust, prompting a mass class-action lawsuit alleging Odido’s negligence and excessive data retention, while Odido rules out automatic compensation, citing no proof of direct financial harm, and the Dutch Public Prosecution Service has opened a criminal probe, though affected users can check if their data was exposed using Have I Been Pwned or the Dutch police tool Check je Hack.
We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it.
