Cyber Incident With Major Consequences At Odido: Is Your Organisation Prepared?
The staggering impact of social engineering.
Private data belonging to more than 6 million Odido customers has been stolen by the hacker group ShinyHunters. This includes sensitive private and financial information, such as names, home addresses, telephone numbers, bank account numbers and identity document numbers.
It now appears that more sensitive data may have been leaked than initially thought. Citizen service numbers (BSN) and residence documents are also believed to be among the stolen data.
The attack turned out not to be a classic technical hacking incident, but mainly the result of “social engineering”: deceiving employees in order to gain access to systems.
How could the Odido hack happen?
Various analyses show that the attackers approached employees via email and telephone, posing as Odido IT staff. Through phishing, they managed to obtain login details from customer service employees, among others. Once a password had been stolen, a second step followed. The attackers called again and convinced employees to approve a fraudulent multi-factor authentication (MFA) login. This bypassed an important additional security mechanism. With these accounts, the criminals gained access to Odido's Salesforce-based CRM environment, where large amounts of customer data are stored. From this environment, they were able to collect data automatically, potentially compromising the data of more than 6 million customers.
Cybersecurity experts also point out that it was probably possible to export data for a long time without the systems raising the alarm. Normally, unusual behaviour, such as large amounts of data exports, would be detected automatically.
The hacker group then demanded a ransom of one million euros, which Odido decided not to pay. As a result, the stolen data has now been made public.
What does this mean? In the coming months and possibly even years, this data could be misused for various forms of fraud, identity theft, scams and targeted phishing attacks. This underlines how significant the impact of a single human error can be.
What can we learn from this hack at Odido?
This cyber hack at Odido shows how vulnerable organisations can be when sensitive information is not adequately protected. According to the European General Data Protection Regulation (GDPR), organisations are obliged to process personal data carefully and to protect it properly. This European privacy law regulates how organisations must handle personal data. Among other things, this means that companies may only collect necessary data (data minimisation), must take appropriate security measures such as encryption and access control, and must be transparent about how data is used.
If a data breach does occur, it must be reported within 72 hours to the Data Protection Authority, the Dutch supervisory authority that monitors GDPR compliance. This authority can launch investigations, issue warnings, and impose fines of up to £18 million or 4% of global annual turnover.
The attack shows that it is not so much technical vulnerabilities, but identity theft and human deception that often constitute the biggest weak link. That is why, according to our experts, security awareness training is essential. By training employees to recognise phishing, handle data securely and follow the correct procedures, organisations can significantly reduce the risk of data breaches. It is a relatively small investment that can make a big difference, both in terms of protecting personal data and complying with the GDPR.
Different challenges require different expertise. For example, the Certified Data Protection Officer (CDPO) helps organisations prevent GDPR violations and data minimisation issues. For governance, audit and compliance with standards such as NIS2 and ISO, certifications such as CISSP, CISA and ISO 27001 LI, ISO 27001LA provide the right knowledge. Training courses such as Security+ and CISMP focus on improving operational security, while CEH and Security+ help IT teams to better recognise and prevent attacks. For new risks, such as AI security, there are also customised training courses.
Consult our account managers to determine together what knowledge and training are needed to prevent cyber incidents in your organisation in the future.