Full Report
In contrast to entities and courts that try to chill reporting, look at coverage of the Odido breach, where Dutch news outlets are not censored from informing the public about the scope of the breach. As seen on NL Times: A second batch of stolen customer data from Dutch telecom company Odido has revealed highly sensitive information... Source
Analysis Summary
# Incident Report: Odido Customer Data Exfiltration
## Executive Summary
The Dutch telecom provider Odido suffered a significant data breach resulting in the theft of highly sensitive customer information. Attackers exfiltrated data potentially affecting up to 8 million individuals, including extremely sensitive details related to domestic violence and stalking victims. The company has publicly refused to pay the ransom demanded by the attackers (Shinyhunters).
## Incident Details
- Discovery Date: Not explicitly stated, but the reporting indicates multiple publicized batches of stolen data, starting prior to February 2026.
- Incident Date: Occurred prior to February 2026 reporting period.
- Affected Organization: Odido
- Sector: Telecommunications
- Geography: Netherlands
## Timeline of Events
### Initial Access
- Date/Time: Unknown (Pre-February 2026)
- Vector: Not explicitly detailed in the provided text, but implied successful initial compromise leading to data access.
- Details: Initial unauthorized access was gained by the threat actor (Shinyhunters).
### Lateral Movement
- *(No specific details provided regarding lateral movement techniques.)*
### Data Exfiltration/Impact
- **First Batch:** Data from 6.2 million current and former customers stolen, including names, addresses, phone numbers, dates of birth, bank account numbers, and ID numbers.
- **Second Batch:** Revealed highly sensitive internal customer notes, detailing instances of stalking, threats, domestic violence, and information on protected addresses.
- **Threat:** Hackers demanded a ransom exceeding 1 million euros and threatened to release 1 million lines of data daily.
### Detection & Response
- **Detection:** Implied through the public actions of the threat actor and subsequent media reporting (e.g., NL Times, RTL).
- **Response Actions:** Odido confirmed it would not pay the ransom demand. Public reporting and media scrutiny of the breach scope were noted.
## Attack Methodology
- Initial Access: Unknown.
- Persistence: Unknown.
- Privilege Escalation: Unknown.
- Defense Evasion: Unknown.
- Credential Access: Unknown.
- Discovery: Unknown.
- Lateral Movement: Unknown.
- Collection: Detailed data, including sensitive internal notes, was gathered from customer records.
- Exfiltration: Data was stolen and subsequently leaked in batches to the public/media outlets as leverage.
- Impact: Release of PII, financial data, and highly sensitive physical safety information.
## Impact Assessment
- Financial: Ransom demanded exceeded 1 million euros (Odido refused to pay). Costs associated with remediation and potential litigation are unquantified.
- Data Breach: Data from up to 8 million people allegedly stolen. Included: Names, addresses, phone numbers, DOBs, bank account numbers, ID numbers, and highly sensitive profiles regarding domestic violence/stalking victims.
- Operational: Not explicitly stated, but significant disruption to customer trust and security operations is implied.
- Reputational: High negative public exposure, with sensitive customer safety issues being highlighted by Dutch news outlets.
## Indicators of Compromise
- *(No specific technical IOCs such as IPs, domains, or hashes were provided in the source text.)*
## Response Actions
- **Containment:** Not detailed.
- **Eradication:** Not detailed.
- **Recovery:** Not detailed.
- **Negotiation Stance:** Odido confirmed it **refused to pay the ransom**.
## Lessons Learned
- The breach exposed extremely sensitive vulnerability data (domestic abuse/stalking victim status) located within customer records, indicating insufficient segmentation or protection for high-risk data types.
- Public disclosure of the scope and nature of the compromised data (including safety risks) occurred rapidly due to active media coverage, in contrast to organizations attempting to suppress reporting.
## Recommendations
- Immediately conduct a data inventory to identify and reclassify all records pertaining to vulnerable populations (e.g., domestic violence victims) and elevate their protection posture.
- Review access controls and network segmentation to prevent a single breach entry point from compromising highly sensitive data fields.
- Develop a robust external communications strategy prepared for rapid, transparent disclosure, especially when safety risks are involved.