A significant data breach affecting Dutch telecom provider Odido and its budget brand Ben has escalated dramatically this week. The hacking group known as ShinyHunters has made good on threats to release private customer records on the dark web after Odido refused to comply with ransom demands exceeding €1 million.
Details of the Breach
The breach was first identified over the weekend of February 7, 2024, but the situation intensified when the hackers initiated a “daily leak” campaign. Following Odido’s refusal to negotiate, the group released 1 million lines of data on Thursday, with another 1 million appearing online early Friday morning. While Odido confirmed that approximately 6.2 million current and former customers were affected, ShinyHunters claims the total number of compromised records is closer to 21 million.
Investigative reporting from Hackread.com indicates that the hackers are using these leaks as leverage to compel Odido back to the negotiating table. They have issued a final warning for the company to pay the ransom or face additional repercussions.
Contents of the Leaked Data
The information that has been compromised is extensive, encompassing more than just names and phone numbers. Reports indicate that the leaked data includes physical home addresses, email accounts, and sensitive bank account details, such as International Bank Account Numbers (IBANs). Alarmingly, the breach also exposed critical identification information, including passport and driving licence numbers.
Odido has reassured customers that plaintext passwords, which are stored in an easily readable format, were not part of the data leak. The company also emphasized that billing information and actual scans of identity documents remain secure. Nonetheless, with a significant amount of personal data now publicly accessible, the risk of identity theft has escalated.
Odido’s Response and Security Measures
Despite the pressure from ShinyHunters, Odido’s CEO Søren Abildgaard has firmly stated that the company will not negotiate with criminals or yield to blackmail. This stance is supported by the Dutch national police. Stan Duijf from the police cybercrime unit advised victims of ransomware not to pay ransoms, as this could potentially fund future attacks and does not guarantee the deletion of the compromised data.
In light of the breach, Odido is providing affected customers with a complimentary 24-month digital security package. This initiative aims to help safeguard users against potential threats, as customers of Odido and Ben are advised to remain vigilant regarding unexpected phone calls or links.
The implications of this breach extend beyond immediate security concerns, highlighting the ongoing challenges faced by companies in safeguarding customer data amid rising cyber threats. The actions taken by Odido and law enforcement may set a precedent in handling such incidents in the future.
