Odido rules out compensation after massive cyberattack affecting 6.2 million accounts

Odido has said it will not offer compensation to customers affected by a data breach resulting from the cyberattack in February. A spokesperson confirmed this after remarks made by CEO Søren Abildgaard in De Telegraaf. The CEO stated that there is no evidence that the telecom company breached any regulations.

In a series of videos released on Tuesday, the Danish CEO updated customers on the cyberattack and its consequences. He described the intrusion by the hacker group ShinyHunters as “not an ordinary attack.” The incident took place in early February, when Odido was hit by a cyberattack that allegedly resulted in the theft of personal data from around 6.2 million accounts.

The criminal hacker group demanded a ransom for the data, but Odido chose not to pay. The group then published the stolen customer data online. “I strongly believe that criminals should not be rewarded for illegal activities,” the CEO said. “We knew this could mean the stolen data would be made public. Still, I ultimately felt this was the responsible choice.”

Abildgaard said the hacker group ShinyHunters infiltrated systems using “voice phishing,” allowing them to extract significant amounts of data. The attackers reportedly impersonated IT staff from Odido during phone calls and executed two separate intrusions on 5 and 6 February.

The Danish CEO says Odido has learned from its communication around the hack. “We wanted to communicate quickly, but also make sure the information we shared was complete and correct,” he said in a video message. The company, therefore, chose to first complete its investigation. “I understand that customers wanted more information during that period. We have learned from this.”

The top executive added that Odido is continuously strengthening its defences against cyberattacks. He also said the telecom provider is investing further in improving the way it safeguards and stores customer data.

Authorities are examining whether Odido retained personal data longer than permitted, following a cyberattack in which information was also taken from former customers who had left the company years earlier. The Dutch Public Prosecution Service has opened a criminal investigation, while a mass legal claim is also being prepared, with around 350,000 people having registered by late April.

In early May, ShinyHunters targeted the American company behind the Canvas education platform, an incident that also impacted several Dutch universities. On Tuesday, the company reportedly struck a deal with the hackers and regained access to the stolen data.