Odido refuses ransom: cybercriminals dump initial customer data on dark web
Data of another 6 to 10 million Dutch citizens at risk of ending up on dark web
Odido did not respond to the ransom demand of the hacker group ShinyHunters. The cybercriminals then published some of the sensitive customer information on the Dark Web. To make matters worse, the amount of information appears to be larger than originally thought.
ShinyHunters cybercriminals reportedly gave Odido until today, Feb. 26, to pay between 500,000 and 1 million euros in Bitcoin. If Odido does not pay on time, 1 million lines of sensitive customer information will be published on the dark web every day. To bolster that claim, a small dump of 100,000 lines has already been published.
Odido has no intention of paying; consequently, another 6 to 10 million sensitive personal data records are at risk of appearing on the dark web. As Odido previously reported, that information includes names, addresses, and account numbers, but it has since become clear that more data was stolen. NOS reported that internal customer notes were also captured, including whether a customer has a trustee or is considered difficult to deal with.
Violation of data retention policy
In addition to information on existing Odido and Ben customers, the dump reportedly contains data on former customers. This violates Odido's own rules, as the company states it retains customer data for a maximum of two years. How Odido still possessed this data is under investigation.
For current and former customers, the investigation is currently secondary to immediate risks. Without a ransom payment, their data risks falling into the hands of cybercriminals who can carry out highly targeted phishing attacks. Be wary of future emails, text messages, letters, and phone calls.
This incident follows several large-scale hacks previously linked to ShinyHunters, including the 2024 Ticketmaster breach. That incident involved the theft of customer data from 560 million users.
