The Netherlands' national police is backing Odido's refusal to pay a ransom after ShinyHunters leaked a second round of records belonging to the telco.
In the early hours of Friday morning, the cybercriminals behind ShinyHunters leaked 1 million Odido records for the second day in a row.
According to Have I Been Pwned, which is ingesting the data from each day's leaks, the first million contained 317,000 unique email addresses, while the second round consisted of 371,000.
Details associated with those accounts include bank account numbers, other basic personal information, passport numbers, driving licenses, and customer service comments.
ShinyHunters' website indicates that it is once again gearing up for a third round of leaks on February 28. If this round is of a similar scale, it would push the total number of affected accounts past 1 million.
After the third round, the cybercrime group promised to begin leaking 2 million records a day. It claims to have stolen around 21 million in total.
Odido first confirmed the scale of the data leak weeks ago, saying 6.2 million customers were affected by the attack. The company's website is currently not reachable at the time of writing, although the website for subsidiary Ben, whose customers were also caught up in the data theft, is still working.
The telco has also confirmed that it will not be paying a ransom, an unknown sum that ShinyHunters is demanding to stop the flow of leaked information into the public domain.
The Netherlands' national police (Politie) has reissued an alert advising organizations in similar positions to avoid paying ransoms, just like Odido.
"Our advice to ransomware victims is: don't pay if criminals demand a ransom," said Stan Duijf, head of operations responsible for combating cybercrime at the Politie. "After all, if they are paid, their business model remains viable.
"The ultimate decision is up to the victim, but you can't assume your data is safe if you pay. We know from research that criminals don't always delete the data, and may resell it or demand more money. If companies are hacked, it's crucial that they contact the police as soon as possible, so that together we can limit the damage and secure the evidence."
The Politie said Odido was fully complying with its investigation into the attack, and agreed with the company's advice to remain vigilant to potential targeted phishing attacks, given the volume of data stolen.
The Register requested more information from Odido.
The last public statement made by the telco, penned by Søren Abildgaard, CEO at Odido Netherlands, and updated on February 26, said: "Our focus has always been on our customers, and that will remain so.
"On the advice of leading cybersecurity advisors and relevant government agencies, such as the police, Odido has decided not to negotiate with these criminals or allow themselves to be blackmailed by them.
"We remain committed to supporting and protecting our customers and employees in the best possible way."
Customers are being offered a 24-month subscription to F-Secure's digital security package, which provides protection for devices against malware, phishing, and other threats. ®
Source: The register