Odido Breach Exposes 6.2M Customer Data

What Happened in the Breach

Odido disclosed on February 12, 2026 that cybercriminals accessed a customer contact system used for customer communications and that the incident involved personal data, not telecom service operations.

The company said the exposed information can include names, contact details, bank account numbers, dates of birth, and government ID document details such as passport or driver’s license numbers and validity dates, with the exact fields varying per customer.

Odido said passwords, call records, and invoice data were not involved, and it told customers that using phone, internet, and TV services remained safe while the company ended the unauthorized access.

Timeline: From First Access To Latest Update

• February 7, 2026: Odido began investigating a suspected hack with internal and external experts, and it later tied the incident to systems used to contact customers
• February 7 to February 8, 2026: Odido said the incident involved unauthorized access to a customer contact system during this weekend window
• February 12, 2026: Odido publicly confirmed the cyberattack, said unauthorized access was ended quickly, and said impacted customers would receive direct email within up to 48 hours
• February 12, 2026: Reuters reported Odido’s estimate of more than 6 million affected accounts and the data categories Odido listed in customer emails
• February 13, 2026: NOS reported a likely intrusion path tied to phishing and social engineering targeting customer service accounts, while noting Odido did not respond to NOS’ findings
• February 16, 2026: Odido’s public information page and follow-on coverage emphasized that a data leak does not automatically create a right to compensation, and it warned customers about advice that conflicts with government guidance
• February 17, 2026: NOS reported Odido may have retained former-customer data longer than its stated 2-year period in some cases, affecting people who left 5 to 10 years earlier, based on reporting that referenced Het Financieele Dagblad
• February 20, 2026: Dutch privacy regulator Autoriteit Persoonsgegevens said it was monitoring the case and told the public that filing additional complaints about this incident was not necessary
• February 20, 2026: Dutch consumer reporting described scammers targeting victims with a fake “compensation” site charging about €50 up front

What Data Or Systems Were Affected

Odido said the affected system was a customer contact system used to communicate with customers, and it said the compromised data came from that system rather than from service delivery platforms.

Odido and Reuters said exposed fields include customer names, phone numbers, email addresses, bank account numbers, dates of birth, and passport numbers, and Odido’s incident page adds that addresses, customer numbers, and ID validity details can also appear.

Odido said the incident did not involve call records, invoice data, location data, or scans or copies of identity documents, and it said business end-user details were not leaked for business customers.

Who Was Responsible (Confirmed Vs Alleged)

Odido has not publicly named an attacker, and Reuters reported no identified threat actor in the company’s public communications.

NOS reported, citing sources, that attackers targeted individual customer service employee accounts and used a mix of phishing and impersonation of internal IT staff to pass an extra security step, and Odido declined to comment to NOS on that reporting.

Odido told customers it would not discuss the possible identity or background of the attacker at this stage, and NOS reported that the company would not say whether extortion pressure occurred.

How The Attack Worked

Odido said attackers gained unauthorized access to a customer contact system and that the company ended that access quickly after detection, bringing in third-party cybersecurity experts as part of the response.

NOS reported a likely access chain that started with phishing emails used to obtain passwords from customer service workers, followed by phone calls in which criminals posed as Odido IT staff and convinced employees to approve a fraudulent login attempt, which NOS said bypassed an additional security step.

NOS also reported that investigators traced activity to Salesforce access used for customer data, with automated scraping used to collect customer records, and it said sources doubted that criminals necessarily copied all records due to the time required.

Impact and Risks for Customers

Odido and the Dutch government’s Central Identity Fraud Reporting Centre said the biggest practical risk is targeted phishing, SMS scams, and phone-based fraud that uses accurate personal details to sound credible, including scams that impersonate Odido, banks, or government agencies.

Odido’s incident page said a field labeled “password_c” appeared in the leaked contact system for a limited set of customers, but it said this was a challenge word used for phone verification rather than a login password, and it said the company stopped phone verification that relied on that code word.

Dutch consumer reporting said scammers began approaching victims with a fake compensation pitch that asked for about €49.99 up front and promised payments ranging from €500 to €1,500 per person, while consumer advocates said it was too early for such claims and highlighted signs consistent with fraud.

Company Response And Customer Remediation

Odido said it ended the unauthorized access, engaged external cybersecurity experts, and notified the Dutch data protection regulator, and it said impacted customers would receive direct email communication within up to 48 hours due to volume.

Odido advised customers to watch for suspicious contacts, and it said it does not send emails asking customers to change passwords, while repeating that customer login passwords were stored in encrypted form and were not accessible through the compromised system.

Odido’s incident FAQ said replacing passports or driver’s licenses was not necessary under current government guidance, and it said it was not reimbursing replacement costs at this time because the official advice did not recommend replacement.

Government, Law Enforcement, And Regulator Actions

Reuters and Odido said the incident was reported to the Dutch privacy regulator Autoriteit Persoonsgegevens, and Odido’s public materials positioned the AP notification as part of its regulatory response.

Autoriteit Persoonsgegevens published a dedicated incident page stating it was monitoring the situation and that filing new complaints or tips about this incident was not necessary, after receiving a high volume of reports.

The Dutch government’s identity fraud helpdesk published guidance on February 12, 2026 that said a data leak does not automatically mean identity fraud, while warning that spearphishing risk rises when criminals hold accurate personal data.

Financial, Legal, And Business Impact

Odido’s incident page said a data leak does not automatically create a right to compensation, and it said its focus was on preventing harm while customers remain vigilant for fraud attempts.

Dutch reporting highlighted the emergence of fee-charging “mass claim” pitches tied to the breach and said no formal mass claim had been launched at the time those reports were published.

Reuters reported on February 9, 2026 that Odido postponed planned IPO steps due to investor demand and market volatility, and that report did not link the IPO decision to the later-disclosed breach.

What Remains Unclear About the Breach

• Odido has not published a confirmed earliest intrusion date, exact dwell time, or a technical post incident report covering initial access, persistence, and exfiltration volume, so key details rely on media reporting.
  
• Odido said stolen data had not been published online during early communications and noted future publication could not be ruled out, while Reuters did not report a public posting in initial coverage.
  
• Odido has not publicly confirmed a ransom or extortion demand, and NOS reported the company would not discuss coercion pressure in early media interactions.
  

Why This Incident Matters

The Odido breach is among the largest reported private-sector customer data exposures in the Netherlands, and it shows the damage that can occur when customer contact systems hold high-risk identifiers such as bank account numbers and ID document metadata.

The incident also shows how criminals can blend phishing, phone impersonation, and approval-step abuse to move from workforce access into customer datasets, a pattern Dutch media described in detail while Odido continued its investigation.

The follow-on scam wave demonstrates how breach news itself becomes an attack surface, with fraud campaigns pitching fast compensation or “claims help” while seeking fees and extra personal data from already-affected customers.

Bright Defense: Pen Tests and Continuous Compliance That Cut Identity-Data Exposure

Bright Defense can reduce the risk of telecom-style contact-system breaches through penetration tests that focus on identity attack paths such as phishing-resistant access controls, call-center account workflows, MFA approval-step abuse, and customer-service tooling that connects into CRM platforms. A pen test program can validate whether a single compromised support identity can reach bulk export functions, scrape views at scale, or pivot into adjacent systems that store regulated identifiers.

Bright Defense’s continuous compliance work can support ongoing control health in areas that map directly to identity-led intrusions, including access review cadence, privileged role governance, detection coverage for unusual data access patterns, and incident response readiness. Continuous evidence collection and control checks can also support SOC 2 expectations around access controls, monitoring, and response documentation, which becomes critical when regulators, customers, and partners ask for proof of control operation after a breach.

Sources

1. Odido Newsroom — Odido informs customers of cyber attack (February 12, 2026)
   https://newsroom.odido.nl/en-us/odido-informs-customers-of-cyber-attack/
2. Odido — Information page cyber incident (February 2026)
   https://www.odido.nl/veiligheid-eng
3. Reuters — Dutch telecom Odido hacked, 6 million accounts affected (February 12, 2026)
   https://www.reuters.com/business/media-telecom/dutch-telecom-odido-hacked-6-million-accounts-affected-2026-02-12/
4. BleepingComputer — Odido data breach exposes personal info of 6.2 million customers (February 12, 2026)
   https://www.bleepingcomputer.com/news/security/odido-data-breach-exposes-personal-info-of-62-million-customers/
5. TechCrunch — Dutch phone giant Odido says millions of customers affected by data breach (February 13, 2026)
   https://techcrunch.com/2026/02/13/dutch-phone-giant-odido-says-millions-of-customers-affected-by-data-breach/
6. NOS — Hack bij Odido, gegevens miljoenen klanten in handen van criminelen (February 12, 2026)
   https://nos.nl/artikel/2602080-hack-bij-odido-gegevens-miljoenen-klanten-in-handen-van-criminelen
7. NOS — Odido-hackers kwamen binnen via phishing, deden zich voor als ICT-afdeling (February 13, 2026)
   https://nos.nl/artikel/2602283-odido-hackers-kwamen-binnen-via-phishing-deden-zich-voor-als-ict-afdeling
8. NOS — Odido overschrijdt eigen termijn bewaren gegevens (February 17, 2026)
   https://nos.nl/artikel/2602804-odido-overschrijdt-eigen-termijn-bewaren-gegevens
9. Autoriteit Persoonsgegevens — Datalek Odido (February 2026)
   https://www.autoriteitpersoonsgegevens.nl/datalek-odido
10. RvIG / CMI — Datalek Odido veroorzaakt ongerustheid – CMI geeft advies (February 12, 2026)
    https://www.rvig.nl/nieuws/12-02-2026-datalek-odido-veroorzaakt-ongerustheid-cmi-geeft-advies
11. The Record — Dutch mobile phone giant Odido announces data breach (February 12, 2026)
    https://therecord.media/dutch-telecom-giant-announces-data-breach
12. SecurityWeek — Dutch Carrier Odido Discloses Data Breach Impacting 6 million (February 13, 2026)
    https://www.securityweek.com/dutch-carrier-odido-discloses-data-breach-impacting-6-million/
13. NL Times — Fake site targeting victims of Odido data leak with compensation scam (February 20, 2026)
    https://nltimes.nl/2026/02/20/fake-site-targeting-victims-odido-data-leak-compensation-scam
14. Tweakers — Scamsite vraagt 50 euro per persoon voor schadeclaim bij Odido-datalek (February 20, 2026)
    https://tweakers.net/nieuws/244936/scamsite-vraagt-50-euro-per-persoon-voor-schadeclaim-bij-odido-datalek.html
15. Techzine — Data breach at Odido: responsibility and compensation under discussion (February 16, 2026)
    https://www.techzine.eu/news/security/138806/data-breach-at-odido-responsibility-and-compensation-under-discussion/
16. Reuters — Odido shelves IPO plans because of muted investor response and volatility (February 9, 2026)
    https://www.reuters.com/business/corrected-odido-shelves-ipo-plans-because-muted-investor-response-volatility-2026-02-09/