Hi, I’m among the 6M people of a major data leak from Odido, one of the biggest Dutch telecom providers. The data that was leaked was beyond what I ever experienced in the past where it would usually only cover email address or user name.
This time, pretty much every sensitive data I have with them is leaked i.e. Full name, DoB, home and email address, phone number, bank number, ID number and its expiry date, etc. Granted the scan of my ID wasn’t leaked, I think a criminal would have enough data of me to impersonate me, CMIIW.
Their service provides TV, mobile, and internet subscription, which is common in NL. I’m now only their internet customer, but I used to be their mobile customer as well, which is why they had more personal data of me than that of internet-only customer like scan of ID. But I left last year and they have a data retention policy of 2 years.
I already notified my bank, mobile provider, and workplace of this. Is there anything else I should do? And from a privacy perspective, do you think it’s rational for me to switch internet provider? There are not many options out there in my area for fiber optics provider and tbh, their internet quality is pretty good, despite their shitty support.
One analyst from ING (a major bank in NL) said that (in Dutch), “After all, how can you be sure that your competitor’s security is better? Moreover, many people will assume that a company that has suffered a breach will significantly increase its security.” Is this comment warranted?
Yes it is 100% rational to switch internet provider if there is a better option or one you can give less info. I don’t think that a company that has suffered a breach is less likely to have another breach again.
This is a good example of why you should use services that requires as little info as possible, even if it is weird or inconvenient.
Although they do little to stop the inherent issues of telcom infrastructure, silent.link, cloaked, phreeli, and cape all collect less info and are more privacy respecting. Monero and cash require 0 KYC and leave nothing to be leaked.
I am curious why privacyguides does not have an article on wireless cariers or sms verification sites and I think it would be a good addition to the site.
It is indeed a pretty big data leak given it’s a 1/3 of the total population.
KPN, Ziggo or others won’t be safer per-se.
Moreover, the data leaked from Odido: hence the hackers might not feel the need to come back for it because they just freshly stole from it, why coming back again? To get caught?
You could always ask Odido to delete/anonymize your personal data (invoke GDPR) or you can poison it with some fake info given their lack of professionalism.
You’re outside of big cities I assume?
Because those are quite well wired for the most part (1 Gb/s symmetric is usually very easy to get).
Not sure how much I would care about a random claim based on nothing.
Odido could indeed improve their security, it might just take months or years.
It is meanwhile a big enough company to still have potential cracks in their infrastructure.
Simplest is still to give the least info possible.
But hey, it might be easier now that we got this kind of breach to push back given that we have an actual example of incompetency to put in front of their face.
For next time, I guess you could either provide some fake PII (not sure how KYC the providers are[1]) or otherwise use a proxy like a ZZP and get it under a business name. Might be more expensive but could be a good way to shield yourself.
Given the list of what was stolen, the following could be kept private for next time:
full name, maybe? could be faked or use a company name instead
address, hard to have a service without sharing that one
but if it’s only that info without too much of the rest, I guess it could be not too bad
mobile number, there are plenty of prepaid SIM cards available at AH stores without the need for an ID (KPN ones are 6-month valid if constantly used within that timeframe), more info here
Customer number, not really relevant here
email address, use Addy or SimpleLogin for that one
IBAN, I guess if they’re more of a pull the money rather than Tikkie/iDeal/bank details then it’s a blocker yeah…some other might have other payment methods available
but those are also harder to get rid of and are overall quite in a safer spot in general when it comes down to security[2]
birth date, if no ID is required during the sign-up, this one is also a quick easy lie I guess? not sure about the laws myself
Identification data, was that needed during the creation?? I didn’t expected them to ask for a DigiD, maybe a BSN at worst? Nothing you can really do there unfortunately…
I forgot what they’re asking and how much info is needed, I guess a physical address is mandatory but then not sure about the rest ↩︎
not ideal for sure but nobody will just be able to pull money from your bank account directly anyway ↩︎
My area is only covered by ODF, so you only have Odido, Trined/SNLLR, and Freedom. I got Ziggo but theirs is not full fiber. Interested in Freedom, but they dont offer mesh wifi in their sub, and atm I just dont want to fork out money to get my own equipment.
I’m always hesitant to provide fake info for essential needs like internet connection. Might be my paranoia but in case there’s a problem and I didnt completely fill in my personal info correctly, I dont want to get tangled in some breach of contract.
In the list you gave, the only thing I could minimize are mobile number and email address. Birth date and ID were not requested for internet, but were for their mobile subs as I had mentioned in my OP. Granted I left them already, they had to retain this for 2 years.
I might sound like a broken record as I mentioned many times in PG.
I am a big fan of Prepaid 5G sim card (ESIM if you wish, and if your router supports it)+ 5G router as home broadband, if you are fine with painfully slow uplink.
Might be quite limited very quickly if you do download/upload some minimal amount of data.
Hm…I can understand.
At the same time, what kind of problem could happen where they would even need your personal info while you’re already a customer?
Once enrolled, you’re not really bothered in the future IMO.
In my region, I managed to get a 5G Business Prepaid SIM with 500GB data per month at dirt cheap price, I define dirt cheap as it is cheaper than the cheapest McDonald Meal in your region.
On average the whole household use around 150GB per month.
Not feeling too comfortable to disclose my course location, I could only say a country with a GDP per capita over $50k p.a.
In my region the 5G is 5G NSA so not full speed 5G, downlink around 300mbps, uplink 5mbps, ping is 4xms IIRC, which is on par with 4G+.
It is a reseller of carrier business sim plans. The sim I paid for expires in Mid 2028, it contains a 500GB per month allowance (cant say its a plan as plan is meant to be monthly subscription, but mine is not.)
They support Bits of Freedom and have a Certified Information Privacy Professional Europe (CIPP/E) certificate.
According to the IAPP, this is the European standard for privacy certification. In short, it means that we are well informed about the GDPR and apply it in practice at all times and in all circumstances. The GDPR is the European privacy law that has been in force in the Netherlands and other European member states since 2018.
Of course, we celebrated! But sitting still is not an option. To remain certified, points must be earned. So the privacy officer is back to studying hard!
They are also a member of the Privacy Coalition and MANRS.
Thanks! Fortunately, Freedom is one of the providers that is on ODF network in my city. The only caveat is that at the moment, I’m not in the financial condition to purchase a separate mesh device and we definitely at least 2 points in our house. Since Freedom doesnt provide this, I went with SNLLR instead. Hopefully, going with a smaller player this time bodes well.
I don’t know what kind of modem you have, but you can rent one from Freedom or buy one for €150.
The modems can be GPON OR XGSPON, AON, DSL.
In addition to the fact that ODF opens up the fiber optic network to other providers after one year, Freedom is dependent on the illuminator that will illuminate this connection (in this case, Fiber Operator).
The illuminator must install its own hardware in the fiber optic exchange to illuminate the connection so that Freedom can transfer its data over it.
We release regions in our zip code check when we receive a signal from the illuminator that they can deliver in a certain region. This can happen very quickly after that year, but more often it takes a while before all the equipment is installed and configured.
In principle, we should be able to start delivering on all ODF connections after a year, provided the fiber optic cable is in place and the illuminator has installed and configured the equipment in the fiber optic exchange (PoP).
I’m aware of it by mesh I meant they didnt provide repeaters or wifi points as part of their subscription and atm, we cant afford to buy separate ones since we at least need 2 in our house.
population. 
full name, maybe? could be faked or use a company name instead
address, hard to have a service without sharing that one 
mobile number, there are plenty of prepaid SIM cards available at AH stores without the need for an ID (KPN ones are 6-month valid if constantly used within that timeframe), 
birth date, if no ID is required during the sign-up, this one is also a quick easy lie I guess? not sure about the laws myself 
but then not sure about the rest 
by mesh I meant they didnt provide repeaters or wifi points as part of their subscription and atm, we cant afford to buy separate ones since we at least need 2 in our house.