Full Report
Company refuses to pay ransom as attackers threaten larger daily dumps The Netherlands' national police is backing Odido's refusal to pay a ransom after ShinyHunters leaked a second round of records belonging to the telco.…
Analysis Summary
# Incident Report: Odido Data Extortion by ShinyHunters
## Executive Summary
Dutch telecommunications provider Odido (formerly T-Mobile Netherlands) suffered a massive data breach involving the theft of approximately 21 million records. The threat actor, ShinyHunters, has begun leaking data in daily increments of 1 million records after the company, supported by the Dutch National Police, refused to pay an undisclosed ransom. The breach includes highly sensitive PII, including bank account details and government identification numbers.
## Incident Details
- **Discovery Date:** Early February 2026 (Confirmed weeks prior to Feb 27)
- **Incident Date:** Ongoing leaks starting February 26, 2026
- **Affected Organization:** Odido (including subsidiary 'Ben')
- **Sector:** Telecommunications
- **Geography:** Netherlands
## Timeline of Events
### Initial Access
- **Date/Time:** Pre-February 2026 (Exact date unspecified)
- **Vector:** Unknown (Article focus is on the extortion phase)
- **Details:** Attackers gained access to backend systems containing customer records for Odido and its subsidiary, Ben.
### Lateral Movement
- Details not disclosed; however, the scope suggests access to central customer databases or data warehouses.
### Data Exfiltration/Impact
- **Volume:** Approximately 21 million records stolen.
- **Leak Phase 1 (Feb 26):** 1 million records leaked (317,000 unique emails).
- **Leak Phase 2 (Feb 27):** 1 million records leaked (371,000 unique emails).
- **Scheduled Phase 3 (Feb 28):** Threatened leak of 1 million records, followed by daily dumps of 2 million records.
### Detection & Response
- **Detection:** Organization confirmed the scale "weeks ago" following the breach.
- **Response:** Refusal to negotiate or pay ransom; engagement with Dutch National Police (Politie); website taken offline/unavailable during peak leak period.
## Attack Methodology
- **Initial Access:** Unspecified.
- **Persistence:** Unspecified.
- **Privilege Escalation:** Unspecified.
- **Defense Evasion:** Unspecified.
- **Credential Access:** Unspecified.
- **Discovery:** Targeted customer databases containing PII and ID documents.
- **Lateral Movement:** Unspecified.
- **Collection:** Automated harvesting of customer profiles, bank accounts, and ID scans.
- **Exfiltration:** Massive data transfer of approx. 21 million records.
- **Impact:** Data extortion and public leak via ShinyHunters' dark web portal.
## Impact Assessment
- **Financial:** Potential GDPR fines and costs associated with 24-month security subscriptions for millions of users.
- **Data Breach:** High-sensitivity data including bank account numbers, passport numbers, driving licenses, and customer service logs.
- **Operational:** Odido's main website was rendered unreachable during the incident.
- **Reputational:** Massive public exposure of customer data; high-profile media coverage of the leak progression.
## Indicators of Compromise
- **Network indicators:** hxxps[://]shinyhunters[.]website (Extortion portal)
- **File indicators:** Data dumps ingested by Have I Been Pwned (HIBP).
- **Behavioral indicators:** Large-scale data exfiltration from customer management systems.
## Response Actions
- **Containment:** Website taken offline (Odido.nl).
- **Eradication:** Full cooperation with the Dutch National Police (Politie) digital crimes unit.
- **Recovery:** Offering affected customers a 24-month subscription to F-Secure digital security for identity protection and malware defense.
## Lessons Learned
- **Ransom Strategy:** Odido and Dutch authorities maintained a firm "no-pay" stance to avoid fueling the cybercrime ecosystem, despite the escalating nature of the leaks.
- **Data Minimization:** The presence of passport and driving license numbers in the leak highlights the risk of retaining high-value government IDs in accessible databases.
- **Transparency:** Proactive confirmation of the breach scale helped manage expectations before the public leaks began.
## Recommendations
- **Encryption:** Ensure at-rest encryption for sensitive fields such as passport and bank account numbers.
- **Access Control:** Implement strict Multi-Factor Authentication (MFA) and Just-In-Time (JIT) access for database administrators.
- **Monitoring:** Deploy Database Activity Monitoring (DAM) to alert on unusual bulk exports of customer records.
- **Customer Protection:** Advise all customers to monitor bank statements and be alert for sophisticated phishing attempts leveraging their leaked service comments and PII.