Odido only noticed theft of 6.2 million people’s data when hackers informed them

Odido discovered that hackers had stolen personal data belonging to millions of its customers and those of telecom provider Ben only after the criminals notified the company two days later, the Dutch telecom provider’s top executive told NOS on Tuesday.

Tisha van Lammeren, Odido’s chief executive, told NOS that an internal investigation conducted on the day of the early February attack by the criminal group ShinyHunters concluded that no customer data had been taken. It is the first time since the hack that Odido’s leadership has spoken publicly about the incident.

After Odido refused to pay a ransom, ShinyHunters published the data of more than 6 million people on the dark web. “That was a dark day for all of us,” Van Lammeren said.

The breach occurred when a ShinyHunters hacker called an Odido customer service employee, pretended to be from the company’s IT department, and tricked the employee into logging in to a fake version of the work environment. The hacker then stole the employee’s login credentials.

Odido blocked the compromised account within one hour, but the data of millions of customers had already been downloaded in that short period, Van Lammeren said. “We were extremely surprised by the speed with which everything happened.”

The company noticed the intrusion itself but missed the data theft. “No alarm went off when the data was downloaded on Feb. 5,” she said. Later that same day, Odido and an external cybersecurity firm examined the digital traces, and both concluded that nothing had been stolen.

ShinyHunters reportedly caught Odido off guard when they contacted the company on Feb. 7, claiming to have taken the customer data. Asked why the theft was not detected, Van Lammeren said: “The hackers have good techniques for that. That happens in the background. And we didn’t see that.”

The full extent of the breach remained unclear for weeks. Only in early March, after ShinyHunters posted all the data online, did Odido discover that business customer records had also been stolen. “We thought it only concerned consumers of Ben and Odido. Then it turned out that it also involved a group of business users,” Van Lammeren said.

Van Lammeren admitted the company’s communication with customers was inadequate. Millions of current and former customers received messages several days after the hack informing them their data may have been compromised. Odido also posted information on its website but provided few updates afterward.

“Looking back, I think we should have let something be known, also about things you don’t know,” Van Lammeren told NOS. Customers “do hold it against us that it has been so quiet.” Better communication is the most important lesson learned from the attack, she said.

Two Dutch regulators are continuing their investigations into whether Odido maintained adequate security on its customer systems and whether it retained customer and former-customer data longer than permitted. The watchdogs told NOS it is unclear when those probes will be completed.

Van Lammeren said the company is focused on rebuilding trust. “Because that is broken, after all. We are terribly sorry to our customers that this happened. It feels really bad.”