ShinyHunters, a hacker group, has been making headlines by posting sensitive Odido customer data online for the third consecutive day. This data breach has raised serious concerns about the safety of victims of stalking and domestic violence, as detailed information about them has been exposed. The situation is particularly alarming as the data includes names, addresses, phone numbers, dates of birth, bank account details, and ID numbers of 6.2 million current and former Odido customers.
The hackers have demanded a ransom of over 1 million euros, threatening to release 1 million lines of data daily until their demands are met. Odido has refused to pay, and ShinyHunters has vowed to continue releasing the data over the next two weeks if the company doesn't comply. This has led to a public outcry and a call for action from various organizations.
The data breach has revealed detailed internal customer notes, including sensitive information about stalking, threats, domestic violence, and protected addresses. At least five individuals are noted as being stalked by an ex-partner, and other entries relate to domestic abuse or customers whose addresses were intentionally shielded for safety. Experts emphasize the importance of secrecy around phone numbers and home addresses for victims, but this data is now publicly accessible.
A spokesperson for Veilig Thuis, the national reporting center for domestic violence, expressed deep concern, stating that such sensitive information about victims of stalking and domestic violence has ended up on the internet. They emphasized that this is not ordinary personal data but information that directly affects someone’s safety. The idea that details about one's situation could be public increases fear and insecurity.
The Dutch police are urging the public to be vigilant against suspicious emails, phone calls, and messages. They are working to identify the perpetrators and limit further data distribution, but the internet's speed can sometimes outpace the police's response. The country where the hackers are operating remains unknown.
Odido's storage of sensitive details in a special free-text field for internal notes has been criticized. These fields include explicit instructions not to disclose a customer’s home address, along with the reason, including stalking, domestic violence, or harassment. Experts and organizations like Veilig Thuis stress the need for organizations to question the necessity of recording such information, its retention period, and the level of security.
The stolen data is no longer confined to the dark web. Ethical hacker Sijmen Ruwhof noted that the information is now available on the open internet, easily accessible to anyone with an internet connection. Odido has advised customers who feel unsafe to contact the police and offered assistance in checking if their data was published and obtaining a new phone number if necessary.
The hackers previously published hundreds of thousands of records on the dark web on Thursday and Friday. The breach is believed to have occurred through phishing attacks on customer service employees’ accounts, though Odido has not confirmed the method. This incident highlights the ongoing challenges in protecting sensitive customer data and the potential consequences of data breaches.
