Top Dutch telco Odido admits 6.2M customers caught in contact system caper
(2026/02/13)
- Reference: 1770983113
- News link: https://www.theregister.co.uk/2026/02/13/odido_breach/
- Source link:
The Netherlands' largest mobile network operator (MNO) has admitted that a breach of its customer contact system may have affected around 6.2 million people.
Odido said that attackers gained access to a range of personal data, including names, home and email addresses, phone numbers, dates of birth, bank account numbers, and ID document details.
The telco insisted that attackers could never have seen passwords, call details, billing or location data, or scans of the ID documents.
[1]
It spotted the first signals indicating a breach over the weekend of February 7-8 and promptly reported the incident to the [2]Dutch Data Protection Authority .
[3]
[4]
Odido said the stolen data has not been published, but warned that it could appear online at some point in the future.
Around 6.2 million people were affected by this attack in some way, the telco told [5]local news media , including its own customers and those of Ben, another MNO owned by Odido. Simpel, a low-budget MNO also under Odido's management, was unaffected.
[6]
The company is in the process of informing all affected individuals, either via email (info@mail.odido.nl) or SMS. This message will be tailored to each customer, telling them exactly what personal data was stolen.
In its disclosure, Odido also included tips about what customers should be aware of following the breach, such as scams attackers may attempt using the stolen data for financial gain.
Because names, addresses, phone numbers, and bank account numbers were included in the stolen data, Odido said that cybercriminals may use this to impersonate the telco, the customer's bank, or another third party.
[7]Supply chain attacks now fuel a 'self-reinforcing' cybercrime economy
[8]Devilish devs spawn 287 Chrome extensions to flog your browser history to data brokers
[9]Nearly 17,000 Volvo staff dinged in supplier breach
[10]Dutch data watchdog snitches on itself after getting caught in Ivanti zero-day attacks
Odido also advised customers about the different ways they can verify a caller's identity if they say they're calling from a bank, and to be wary of [11]fake invoices with company branding, trying to get customers to pay the criminals directly.
CEO Søren Abildgaard said Odido "immediately took additional security measures" after shutting down the attacker's access, as well as informing the data regulator.
[12]
"Odido has been affected by a cyberattack, in which customer data has been impacted," said Abildgaard in a [13]letter to customers. "This involves personal data originating from a customer contact system used by Odido. No [14]passwords , call details, or billing data are involved.
"We deeply regret this incident and are fully committed to limiting the impact of this incident and providing our customers with all necessary support. It is important to emphasize that our operational services have not been affected; customers can continue to call, use the internet, and watch TV safely.
"Unauthorized access to the system was ended as quickly as possible. In addition, Odido has engaged external cybersecurity experts to support the implementation of additional security measures as part of the response to this incident."
The Register approached Odido for more information. ®
Get our [15]Tech Resources
[1] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aY9YtMhTaLxIF_PVcqs-DQAAA08&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[2] https://www.theregister.com/2026/02/09/dutch_data_protection_ivanti/
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aY9YtMhTaLxIF_PVcqs-DQAAA08&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aY9YtMhTaLxIF_PVcqs-DQAAA08&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[5] https://nos.nl/artikel/2602080-hack-bij-odido-gegevens-miljoenen-klanten-in-handen-van-criminelen
[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aY9YtMhTaLxIF_PVcqs-DQAAA08&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[7] https://www.theregister.com/2026/02/12/supply_chain_attacks/
[8] https://www.theregister.com/2026/02/11/security_researcher_287_chrome_extensions_data_leak/
[9] https://www.theregister.com/2026/02/10/conduent_volvo_breach/
[10] https://www.theregister.com/2026/02/09/dutch_data_protection_ivanti/
[11] https://www.theregister.com/2022/11/04/crimson_kingsnake_bec_scam/
[12] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aY9YtMhTaLxIF_PVcqs-DQAAA08&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[13] https://www.odido.nl/veiligheid
[14] https://www.theregister.com/2025/11/18/zoomer_passwords/
[15] https://whitepapers.theregister.com/
Odido said that attackers gained access to a range of personal data, including names, home and email addresses, phone numbers, dates of birth, bank account numbers, and ID document details.
The telco insisted that attackers could never have seen passwords, call details, billing or location data, or scans of the ID documents.
[1]
It spotted the first signals indicating a breach over the weekend of February 7-8 and promptly reported the incident to the [2]Dutch Data Protection Authority .
[3]
[4]
Odido said the stolen data has not been published, but warned that it could appear online at some point in the future.
Around 6.2 million people were affected by this attack in some way, the telco told [5]local news media , including its own customers and those of Ben, another MNO owned by Odido. Simpel, a low-budget MNO also under Odido's management, was unaffected.
[6]
The company is in the process of informing all affected individuals, either via email (info@mail.odido.nl) or SMS. This message will be tailored to each customer, telling them exactly what personal data was stolen.
In its disclosure, Odido also included tips about what customers should be aware of following the breach, such as scams attackers may attempt using the stolen data for financial gain.
Because names, addresses, phone numbers, and bank account numbers were included in the stolen data, Odido said that cybercriminals may use this to impersonate the telco, the customer's bank, or another third party.
[7]Supply chain attacks now fuel a 'self-reinforcing' cybercrime economy
[8]Devilish devs spawn 287 Chrome extensions to flog your browser history to data brokers
[9]Nearly 17,000 Volvo staff dinged in supplier breach
[10]Dutch data watchdog snitches on itself after getting caught in Ivanti zero-day attacks
Odido also advised customers about the different ways they can verify a caller's identity if they say they're calling from a bank, and to be wary of [11]fake invoices with company branding, trying to get customers to pay the criminals directly.
CEO Søren Abildgaard said Odido "immediately took additional security measures" after shutting down the attacker's access, as well as informing the data regulator.
[12]
"Odido has been affected by a cyberattack, in which customer data has been impacted," said Abildgaard in a [13]letter to customers. "This involves personal data originating from a customer contact system used by Odido. No [14]passwords , call details, or billing data are involved.
"We deeply regret this incident and are fully committed to limiting the impact of this incident and providing our customers with all necessary support. It is important to emphasize that our operational services have not been affected; customers can continue to call, use the internet, and watch TV safely.
"Unauthorized access to the system was ended as quickly as possible. In addition, Odido has engaged external cybersecurity experts to support the implementation of additional security measures as part of the response to this incident."
The Register approached Odido for more information. ®
Get our [15]Tech Resources
[1] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aY9YtMhTaLxIF_PVcqs-DQAAA08&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[2] https://www.theregister.com/2026/02/09/dutch_data_protection_ivanti/
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aY9YtMhTaLxIF_PVcqs-DQAAA08&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aY9YtMhTaLxIF_PVcqs-DQAAA08&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[5] https://nos.nl/artikel/2602080-hack-bij-odido-gegevens-miljoenen-klanten-in-handen-van-criminelen
[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aY9YtMhTaLxIF_PVcqs-DQAAA08&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[7] https://www.theregister.com/2026/02/12/supply_chain_attacks/
[8] https://www.theregister.com/2026/02/11/security_researcher_287_chrome_extensions_data_leak/
[9] https://www.theregister.com/2026/02/10/conduent_volvo_breach/
[10] https://www.theregister.com/2026/02/09/dutch_data_protection_ivanti/
[11] https://www.theregister.com/2022/11/04/crimson_kingsnake_bec_scam/
[12] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aY9YtMhTaLxIF_PVcqs-DQAAA08&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[13] https://www.odido.nl/veiligheid
[14] https://www.theregister.com/2025/11/18/zoomer_passwords/
[15] https://whitepapers.theregister.com/
Scans of ID documents
VoiceOfTruth
Why do these need to be kept at all?
I might understand the need to 'prove' who I am when I become a customer (if that is required in Holland). But why keep the scan? If I am in person, that can be verified by the mark one eyeball of my documents and noted accordingly. If I am doing this online and send in a photo or a scan of my documents, that has no value - I can send in anything I happen to have access to.
By keeping all these scans, Odido has just subjected its customers to the latter. $badguy now has scans which no doubt they will use to impersonate Odido's customers. And it's Odido's customers who will have to spend time dealing with this.
Not the largest
Anonymous Coward
Odido is not the largest in NL. That's still KPN.
Passwords Secured
Thank God and Odido's security that the crims didn't get customers' Odido passwords!
Though, apparantly, the crims won't be needing those.