Full Report
Names, addresses, bank account numbers accessed – but biz insists passwords and call data untouched The Netherlands' largest mobile network operator (MNO) has admitted that a breach of its customer contact system may have affected around 6.2 million people.…
Analysis Summary
# Incident Report: Odido Customer Contact System Breach
## Executive Summary
Odido, the largest mobile network operator in the Netherlands, suffered a significant data breach affecting approximately 6.2 million customers across the Odido and Ben brands. Unauthorized actors gained access to a customer contact system, exfiltrating a wide array of PII, including bank account numbers and ID details, though core telecommunications data and passwords remained secure. The company has contained the access and is currently notifying affected individuals.
## Incident Details
- **Discovery Date:** February 7–8, 2026
- **Incident Date:** Early February 2026
- **Affected Organization:** Odido (including subsidiary brand Ben)
- **Sector:** Telecommunications (MNO)
- **Geography:** Netherlands
## Timeline of Events
### Initial Access
- **Date/Time:** Pre-February 7, 2026
- **Vector:** Likely vulnerability or credential abuse in a Third-Party/Internal Customer Contact System (Specifics not disclosed).
- **Details:** Attackers targeted the interface used for customer support and contact management.
### Lateral Movement
- **Details:** Information not publicly disclosed; however, the breach was confined to the contact system and did not pivot into core billing, location, or authentication databases.
### Data Exfiltration/Impact
- **Details:** Attackers accessed and exfiltrated data belonging to 6.2 million individuals. Stolen data includes names, home addresses, email addresses, phone numbers, dates of birth, bank account numbers, and ID document details (excluding scans).
### Detection & Response
- **Discovery:** Internal monitoring spotted "signals indicating a breach" during the weekend of Feb 7-8.
- **Response:** Unauthorized access was terminated immediately. The Dutch Data Protection Authority (AP) was notified, and external cybersecurity experts were onboarded.
## Attack Methodology
*Note: Specific technical TTPs were not detailed in the public disclosure.*
- **Initial Access:** Unauthorized access to a Customer Contact System.
- **Persistence:** Terminated by Odido post-discovery.
- **Collection:** Automated or manual harvesting of customer profiles from the contact interface.
- **Exfiltration:** Large-scale extraction of PII and financial identifiers.
- **Impact:** Mass data breach; high risk of secondary "Vishing" (voice phishing) and "Smishing" (SMS phishing) attacks.
## Impact Assessment
- **Financial:** Potential regulatory fines from the Dutch Data Protection Authority; costs associated with external forensic experts and customer remediation.
- **Data Breach:** High volume (6.2M records). Sensitive PII and IBANs (bank accounts) compromised.
- **Operational:** Minimal; calling, internet, and TV services remained fully functional.
- **Reputational:** Significant; affects the largest MNO in the Netherlands and its sub-brand "Ben."
## Indicators of Compromise
- **Behavioral indicators:** Unusual query patterns or bulk data exports originating from the customer contact system over the weekend of Feb 7-8.
- **Network/File indicators:** Not disclosed by the organization at this time.
## Response Actions
- **Containment:** Access to the compromised system was revoked immediately upon discovery.
- **Eradication:** Implementation of "additional security measures" in coordination with external experts.
- **Recovery:** Tailored notification via info\[@\]mail.odido.nl and SMS to 6.2M users detailing exactly which data points were stolen for each specific individual.
## Lessons Learned
- **System Segregation:** The isolation of the contact system from the core billing and password databases prevented a catastrophic compromise of credentials and location data.
- **Third-Party/Sub-Brand Risk:** While Odido and Ben were hit, Simpel (under the same management) was not, suggesting differing security postures or system architectures within the same corporate group.
- **Monitoring:** Early detection over a weekend suggests effective (though not preventative) logging and alerting.
## Recommendations
- **Enhanced Authentication:** Implement stricter Multi-Factor Authentication (MFA) for all employees and contractors accessing customer contact systems.
- **Data Minimization:** Review the necessity of storing bank account numbers and ID details within a "contact" system versus a more secure, isolated billing vault.
- **Customer Awareness:** Launch a campaign to warn customers that any future calls from "Odido" or "Banks" asking for verification may be fraudulent, given the exposure of their PII.