In early February it became clear that telecoms provider Odido had been hit by a large-scale cyber-attack. Through phishing, attackers managed to gain access to employee accounts, after which they exfiltrated personal data from millions of accounts. The incident raises fundamental questions about digital resilience and the protection of personal data at a time when large organisations process vast quantities of data. What does this breach say about the state of cybersecurity in the Netherlands? And what responsibilities do companies bear when personal data ends up in the public domain? Sascha van Schendel, Assistant Professor of Data Protection & Cybersecurity, and Wouter Scherpenisse, PhD candidate in cybersecurity and the rule of law, both working at Erasmus School of Law and within the Erasmus Center of Law and Digitalization (ECLD), provide answers to these questions.
The human link
Scherpenisse is clear: “The scale of the data breach is very large. It appears that cybercriminals have obtained data from some 6.2 million users. In that respect, we are talking about one of the largest data breaches ever in the Netherlands.” According to him, the seriousness lies not only in the number of people affected, but above all in the nature of the data. Names, addresses, IBANs and identification details were stolen in the attack. “The nature of the stolen data means that this breach can spread like an oil slick. Cybercriminals can exploit this information.”
Media reports indicate that the attackers gained access via phishing. For Scherpenisse, this underlines the importance of the human factor: “The human link is often the weak link in the digital chain. Awareness of this is therefore very important. You can try to build an impregnable digital fortress, but the moment someone forgets to raise the drawbridge or lower the portcullis, you keep no one out.” Cyber hygiene is therefore crucial. “It is wise to alert employees with (in)direct access to systems to the relevant risks. A certain level of cyber knowledge within an organisation is no luxury. In that regard, it is a good thing that cyber hygiene will receive statutory anchoring in the forthcoming Cybersecurity Act, implementing the NIS2 Directive,” says Scherpenisse. At the same time, he acknowledges that complete security is an illusion.
The big bad wolf or grandmother?
What does the data breach mean in concrete terms for citizens? Scherpenisse: “For vulnerable groups – older people, for example – it will become even harder to distinguish malicious phone calls (‘spoofing’) from legitimate ones. Without big ears, eyes and teeth, it becomes harder to tell the wolf from grandmother. The credibility of someone posing as a bank employee increases significantly if that person has your name, address, passport and bank account number.” His advice is clear: “What should you do if you receive a call from, for example, ‘the bank’ or ‘the health insurer’ asking you to transfer money? Hang up immediately and try to contact the institution yourself using the contact details on the website.”
Data protection under the GDPR
The General Data Protection Regulation (GDPR) plays a central role in this breach. “In addition to reporting the breach to the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, AP), Odido must also notify the individuals whose data has been leaked, in this case the customers. They must be informed as fully as possible about which data has been exfiltrated,” Van Schendel explains. This includes a careful investigation into the scope and cause of the breach. There is also an accountability obligation: “Under the GDPR, parties that work with personal data also have an accountability obligation, on the basis of which they must keep logs and documentation of the protective measures taken,” she explains.
According to Van Schendel, the question of when security is inadequate is context-dependent. “Under the GDPR, we have a strong level of data protection based on various principles and on appropriate technical and organisational measures that must be taken,” she says. “The continuous question is: for what purpose are personal data collected, used and stored?” Only data that are necessary for that purpose may be processed. “There is a constant arms race between hackers and the parties responsible for personal data when it comes to protective measures,” Van Schendel notes.
Who bears the damage?
Can Odido be held liable if the leaked data are actually misused? “Liability in the event of data breaches is always a tricky issue,” Van Schendel responds. “First, it must be shown how the law has been violated, in other words, that there has been unlawful conduct. In this case, that law is the GDPR.” In addition, there must be a direct causal link between the breach and the damage. She explains: “In cases involving privacy and personal data, this is an extra difficult question.” The damage may also be non-material: “For example, people may lose trust in a company or experience fear of identity fraud. This type of damage is often difficult to articulate and substantiate. Increasingly, in large-scale data breaches we see parties stepping forward to recover damages on behalf of multiple individuals, settling the harm collectively through so-called ‘mass claims’,” Van Schendel explains.
Data retention periods under scrutiny
An additional dimension in this case is that former customers from five or ten years ago also appear to have been affected, while Odido states that it retains data for a maximum of two years. According to Van Schendel, this may have legal consequences: “It may be that Odido processed more data than was minimally necessary or stored them for longer than the purpose for which they were needed. The AP must assess whether there has potentially been a breach of important data protection principles.” According to Van Schendel, the principle of storage limitation is leading here: “This is determined on the basis of the purpose for which the data were stored: are they still needed to send those invoices or to perform the customer’s internet contract?”
Inevitable or preventable?
Should we simply regard large-scale data breaches as inevitable? Both researchers take a nuanced view. “It is unwise and unrealistic to assume that incidents of this kind can be completely prevented,” Scherpenisse and Van Schendel say jointly. “Make sure that, as an organisation or as an individual, you are resilient. We may expect all parties that process data, both companies and governments, to take sufficient protective measures and not to cut corners on the costs in an era in which data are a primary target of all criminal activity.” According to the researchers, citizens also have a role to play: “At a personal level, be cautious about sharing your own personal data. Even something as seemingly harmless as using a running app can entail significant risks.” With a smile, the researchers conclude: “Reading a good book is a great deal safer in that respect.”
- Assistant professor
- PhD student
- Related content
