Telecom provider Odido was unaware for two days that the hack in early February had resulted in a massive data breach. CEO Tisha van Lammeren publicly acknowledged for the first time that an internal investigation had wrongly concluded that nothing had been stolen. The hacker group ShinyHunters had to report this themselves.
Phishing was used to gain access to the telecom provider’s networks. Although Odido blocked the compromised account within an hour, it was already too late. On February 5, the data of millions of customers was downloaded without any alarm being triggered, says Van Lammeren. It wasn’t until February 7, when ShinyHunters contacted the company themselves to say they had customer data in their possession, that the true extent of the breach became clear. “We were extremely surprised by the speed at which everything happened,” said the executive.
Theft remained unclear for a long time
Even after that, uncertainty persisted. It wasn’t until early March, after the group published all the stolen data on the dark web, that Odido discovered business customers had also been affected. The provider initially thought it only involved Odido and Ben consumers. Van Lammeren does not wish to explain how the hackers concealed the theft. “The hackers have good techniques for that. It happens in the background.”
Communication could have been better
A few days after the hack, the provider sent 6.2 million messages to customers and former customers. But further updates were scarce. Van Lammeren cites improving crisis communication as the most important lesson the company has learned. She acknowledges that the company should also have informed customers about matters that were still unclear.
Odido’s information page about the hack was expanded last week. In a video featuring the CEO, the company explains, among other things, why it decided not to pay a ransom to the hacker collective—a decision it still stands by.
Meanwhile, two regulatory investigations are underway regarding the security of the customer system and data retention periods. A completion timeline has not yet been established. The privacy foundation Consumers United in Court has also filed a class-action lawsuit against the provider. Van Lammeren says Odido wants to regain its customers’ trust after what she describes as “a dark day for all of us.”