Full Report
In February 2026, the Dutch telco Odido was the victim of a data breach and subsequent extortion attempt. Following the incident, 1M records containing 317k unique email addresses was published publicly, with a threat by the attackers to continue leaking more data in the following days. The data also included names, physical addresses, phone numbers, bank account numbers and notes about customers left by service operators. Odido has published a disclosure notice detailing the extent of the incident, providing an FAQ and advising the incident also impacted dates of birth, passport and drivers licence numbers.
Analysis Summary
# Incident Report: Odido Dutch Telco Data Breach & Extortion
## Executive Summary
In February 2026, the Dutch telecommunications provider Odido suffered a significant data breach followed by a targeted extortion attempt. The incident resulted in the exposure of approximately 1 million records, including highly sensitive PII such as passport and driver's license numbers. The threat actors began leaking data publicly to pressure the organization, signaling a high-severity compromise of customer databases.
## Incident Details
- **Discovery Date:** February 2026
- **Incident Date:** February 2026
- **Affected Organization:** Odido
- **Sector:** Telecommunications
- **Geography:** Netherlands
## Timeline of Events
### Initial Access
- **Date/Time:** February 2026 (exact day not disclosed)
- **Vector:** Not explicitly disclosed in the public notice; however, third-party reports attribute the activity to the "ShinyHunters" group.
- **Details:** Attackers gained unauthorized access to internal systems housing customer and historical service data.
### Lateral Movement
- **Details:** Information specific to lateral movement techniques used within Odido's infrastructure was not included in the public disclosure.
### Data Exfiltration/Impact
- **Details:** Attackers successfully exfiltrated a massive dataset. On February 26, 2026, 1 million records containing 317k unique email addresses were published to a public leak site. The attackers threatened further releases if extortion demands were not met.
### Detection & Response
- **Discovery:** Likely discovered via monitoring of underground forums or via the extortion communication from the attackers.
- **Response actions taken:** Odido published a formal disclosure notice to customers, established an FAQ, and reported the incident to relevant Dutch privacy authorities.
## Attack Methodology
- **Initial Access:** Likely credential theft or exploitation of a vulnerability (attributable to ShinyHunters' typical TTPs).
- **Collection:** Automated gathering of customer databases including PII and operator notes.
- **Exfiltration:** Large-scale transfer of database records to external attacker-controlled infrastructure.
- **Impact:** Use of data for public exposure and financial extortion.
## Impact Assessment
- **Financial:** Potential regulatory fines from the Dutch Data Protection Authority (AP) and costs associated with credit monitoring for victims.
- **Data Breach:** Exposure of 1 million records/317,000 unique emails. Compromised PII includes:
- Names, physical addresses, and phone numbers.
- Bank account numbers (IBANs).
- Dates of birth.
- Passport and driver’s license numbers.
- Customer service operator internal notes.
- **Operational:** Disruption to customer service resources to manage the influx of security inquiries.
- **Reputational:** Significant public impact given the sensitivity of identity documents and the public nature of the data leak.
## Indicators of Compromise
- **Network indicators:** hxxps[://]www[.]odido[.]nl/veiligheid (Official Disclosure Page)
- **File indicators:** Database exports containing Odido customer metadata and service logs.
- **Behavioral indicators:** Large-scale unauthorized data transfers to external IP ranges; subsequent extortion communication.
## Response Actions
- **Containment measures:** Isolation of compromised systems and auditing of access logs.
- **Eradication steps:** Password resets for affected internal accounts and securing exposed API/database endpoints.
- **Recovery actions:** Notifying affected individuals; providing guidance on identity theft protection.
## Lessons Learned
- **Sensitive Data Storage:** The inclusion of passport and driver's license numbers in the breach highlights the risk of retaining high-value identification data in accessible formats.
- **Legacy/Comment Data:** The leak of "notes left by service operators" suggests that unstructured data in CRM systems can contain sensitive context that is often overlooked in security audits.
## Recommendations
- **Encryption at Rest:** Ensure all highly sensitive fields (Passports, IBANs) are encrypted at the field level, not just the disk level.
- **Data Minimization:** Implement strict retention policies to purge identity document data once verification is complete.
- **Enhanced Monitoring:** Deploy User and Entity Behavior Analytics (UEBA) to detect unusual database queries or large-scale data exports in real-time.
- **Customer Protection:** Advise all impacted customers to monitor their bank statements for unauthorized transactions and remain vigilant against phishing attempts leveraging their leaked service notes.