Odido keeps customer data much longer than claimed; Many switching providers since hack

Odido keeps personal data of former customers much longer than it promises. The internet service provider’s privacy statement says it retains data for up to two years after the end of the contract. But former customers who switched up to 10 years ago received emails informing them that their data had been compromised in last week’s hack, Financieele Dagblad reported. Many Odido customers are jumping ship since the hack.

Odido announced on Thursday that hackers had broken into its system during the weekend of February 7 and 8 and gained access to 6.2 million people’s customer accounts, including names, account numbers, and addresses. The company says that no passwords, call logs, or billing information were compromised. It is one of the largest data breaches ever in the Netherlands.

The company emailed all affected customers about the breach. According to FD, people who ended their contracts with Odido between 5 and 10 years ago also got an email that their data had been compromised. That despite the fact that Odido claims that it won’t keep customer data longer than two years after the end of a contract.

The company told the newspaper on Monday that it needs more time to investigate why data was retained for longer than two years.

The hack seems to have spurred many Odido customers to look for other internet service providers. Internetten.nl, a platform for switching internet service providers, told AD that nearly a quarter of all people who switched providers via the platform in the past four days switched away from Odido. That’s three times as many as at the beginning of the month, when 6.7 percent of switchers were former Odido customers. This amounts to “hundreds” of people, the platform said.

Sister site Bellen.com has seen “no significant shifts.” According to entrepreneur Ben Woldring of the two sites, this is likely due to many Odido customers with mobile subscriptions being tied to multi-year contracts. Internet contracts are typically not renewed when they end because they’re not tied to getting a new device like mobile contracts often are. So they switch to month-to-month and are therefore easier to cancel.

According to RTL Nieuws, many customers whose data was stolen are now wondering whether they can claim compensation from Odido. On a dedicated information page, the company seems to discourage this idea. “A data breach does not automatically entitle you to compensation. Our efforts are currently focused on preventing customers from suffering any harm as a result of this incident,” Odido wrote.

But according to Tim Walree, a university lecturer in private law and technology, a provider can be held liable if someone suffers harm as a result of a data breach. “But that is only possible if Odido demonstrably violated the law,” and if the customer demonstrably suffered harm, he told RTL. If the company met all the security requirements when it was hacked, it cannot be held liable.