Oidido under investigation for keeping customer data for too long

The Dutch Data Protection Authority (AP) and the National Inspectorate for Digital Infrastructure (RDI) are investigating whether provider Odido is retaining customer data for too long, AD reported. During the recent data theft at the company, hackers stole data of people who had not been Odido customers for years.

European privacy rules state that people’s data “may not be retained longer than strictly necessary, because what does not exist cannot be stolen,” the AP pointed out. The privacy watchdog had already asked Odido for an explanation last month.

The AP will investigate whether Odido complied with privacy rules. The RDI and AP will both investigate whether the provider had the proper technical security in place for its customer data.

It is important to be digitally resilient, said Inspector General Angeline van Dijk, head of the RDI. “As a society, we must be able to rely on the secure operation of our vital services.”

Hacker group ShinyHunters broke into Odido’s systems in February and stole the personal data of 6.2 million current and former customers, eventually publishing the data when Odido refused to pay a ransom. The data included names, addresses, email addresses, phone numbers, and bank account numbers, among other things.

The hack revealed that the company keeps customer data much longer than claimed. Odido’s privacy statement says it retains data for up to two years after the end of the contract. But former customers who switched providers up to 10 years ago received emails informing them that their data had been compromised in the hack.