Consumers United in Court (CUIC) is launching a class-action lawsuit against telecom provider Odido regarding the massive data leak in February.

According to CUIC, which was founded by Dutch interest group Privacy First and Austrian privacy advocacy group noyb, Odido was negligent in securing personal and sensitive information of customers and former customers.

The consumer group argues that too much data was stored for far too long. Additionally, the stored personal information was not properly protected. Furthermore, Odido was insufficiently transparent and failed to comply with its reporting obligations.

“This case is not only about the data breach itself, but also about the negligence with which Odido handled the sensitive data of its current and former customers. In its own communications, Odido has since pointed out that the compromised personal data of customers has already been used for criminal activities such as phishing,” CUIC says.

The foundation aims to achieve atonement for all whose data has been stolen, including damages. The amount of the damages hasn’t been determined yet. Odido previously stated that victims aren’t automatically entitled to compensation in the event of a data breach.

Secondly, CUIC wants to set an example for all companies to comply with the rules and regulations established by the General Data Protection Regulation (GDPR), Europe’s privacy laws.

Lastly, the foundation wants Odido to provide full disclosure of how the data breach could have occurred and why the company allegedly disregarded warnings from software company Salesforce regarding the security of its systems.

CUIC urges everyone who is or has been a customer of Odido, T-Mobile, Tele2, or Ben to register for the class-action lawsuit. The consumer group has sent an invitation to Odido to enter into dialogue to seek an “amicable solution” for all parties involved, thereby avoiding legal proceedings. As of writing, Odido hasn't responded to the invitation.

In February, Odido disclosed that it had become the victim of a cyberattack. The attackers exfiltrated customer data from over 6.2 million current and former customers, including names, postal addresses, telephone numbers, customer IDs, bank account numbers, dates of birth, and government-issued ID numbers, such as passports and driver’s licenses.

On February 24th, ShinyHunters claimed responsibility for the attack. A few days later, the ransomware extortion group published all the stolen data on the dark web because the telecom operator refused to negotiate on the ransom demands.

---

Unlock more exclusive Cybernews content on YouTube.