The Odido data breach and ransom

During the weekend of 7 and 8 February 2026, Odido received the first indications of a major data breach, in which the personal data of approximately 6.2 million customers and former customers had been stolen. This personal data included the names, addresses, telephone numbers and bank account numbers of customers and former customers.

On 24 February 2026, it became public knowledge that Odido was being blackmailed by a hacker group called Shinyhunters. Shinyhunters claims that the scale of the breach is much greater. The group claims to have data from approximately 8 million customers and talks about tens of millions of data fields.

In a message on the dark web, the hackers put pressure on the telecom company with an ultimatum. A sum of more than 1 million euros would have to be paid to prevent the personal data from being leaked.

It is clear that Odido is being blackmailed. The question remains whether Odido will actually pay or not.

Are data leaks common?

Unfortunately, data leaks are common. This also applies to well-known institutions, including the Council for the Judiciary and the AP itself in 2026, due to a vulnerability in Ivanti software. Eindhoven University was also a victim in 2025, as was Maastricht University in 2019, which ultimately paid a ransom.

It is a difficult decision for an affected institution to decide whether or not to pay a ransom. Do you refuse to reward organised crime, or do you prioritise the continuity of the business and the interests of those involved? There are arguments for both sides. Parameters could include the nature of the leaked data and the potential impact on the rights and freedoms of those involved. Or the extent to which the institution’s continuity has been affected. And the alternatives for becoming operational again, by means of backups.

Does payment provide certainty?

It should come as no surprise that the Dutch Data Protection Authority (AP) states in its October 2024 report that non-payment is the norm (“80% do not pay”) and that payment does not guarantee that personal data will be secure. After all, it is difficult for a supervisory authority to advise giving in to extortion. A report published by Sophos in 2025 (The state of ransomware 2025) indicates that in about 50% of cases, payment is made to get the data back.

The Sophos study also states that the average ransom demanded is falling significantly, by approximately 50% from US$ 2 million in 2024 to US$ 1 million in 2025. In addition, approximately half ultimately paid less than the amount demanded, one-third paid the amount demanded, and the rest paid more. Overall, the trend is that more affected institutions report paying, but the amount paid is often lower than the amount demanded.

What cannot be deduced from Sophos’s research is what percentage of the institutions that paid did not get their data back. Sophos describes it as follows: “49% of victims paid the ransom to get their data back. While this represents a slight drop from last year’s 56%, it is the second highest ransom payment rate in six years.” Some people interpret this as meaning that only 49% of victims got their data back after paying, but I read it as meaning that 49% of victims paid to get their data back. This study does not make it clear whether the money was always paid for in return for the data. However, the report by insurer Hiscox notes in its ‘CYBER READINESS REPORT 2025’: ‘For those who paid a ransom, 60% recovered some or all of their data. Two out of five (41%) were given a recovery key, but still had to rebuild their systems. Paying a ransom does not always solve the problem. Instead, for 31% who paid, attackers demanded more money‘.

Doing business with criminals

In other words, doing business with criminals does not necessarily mean that the highest ethical standards underpin that business. Considerations may include the fact that, despite payment, getting back up and running still requires rebuilding the systems, so paying is not necessarily a quick fix. When it comes to the loss of data through encryption, this is a different situation from the availability of that data to criminals who can then trade it on the dark web. At that point, the interests of those involved also carry more weight in preventing this. And, of course, the sensitivity of the personal data and how easily it can be used for identity fraud are also important factors. In other words, each situation requires its own assessment of the consequences.

Paying ransom: practical and legal considerations (no automatic solution)

In crisis situations, directors and management often face the same question: to pay or not to pay? There is no general legal rule that always prohibits or always prescribes payment.

From a business perspective, five factors usually come into play:

Type of incident: is it data theft, encryption (ransomware), or both?

Recoverability without payment: are backups reliable, tested and quick to restore? Can you temporarily perform core processes manually?

Continuity and security: what is the impact on services (e.g. continuity of care, education schedules, accessibility, payments)?

Effect of payment: does payment actually result in a working decryption key, and is there any way of verifying that data will not be shared after all? In practice, such verification is limited.

Legal preconditions: a payment can become problematic if you pay (directly or indirectly) to a sanctioned party. Have this checked in advance. Insurance conditions, reporting obligations in contracts and sector rules may also play a role.

In addition: even if you can access your data again after payment, an intensive recovery process often follows. This includes detecting and removing backdoors, resetting accounts, redesigning identity and access management, restoring domain controllers and re-rolling endpoints. Without thorough incident response and forensic investigation, there is a real chance that you will be hit again.

Advice

Do you have any questions about this article? Our solicitors are ready to advise you! Contact one of our solicitors by email, telephone or fill in the contact form for a no-obligation initial consultation.