Dutch mobile phone giant Odido announces data breach

The largest mobile phone provider in the Netherlands announced a cyberattack on Thursday that led to the theft of customer information. 

The company Odido, told a local news outlet that 6.2 million people had information stolen. In a statement about the incident, Odido CEO Søren Abildgaard said names, bank account numbers, addresses, mobile numbers, email addresses, account numbers and IDs – ranging from passports to driver's license numbers – were stolen by the hackers. 

Abildgaard said the incident took place on February 7 and was eventually reported to the Dutch Data Protection Authority once the breach was confirmed. 

Investigators traced the attack back to a compromised customer contact system used by Odido. The cybercriminals downloaded customer information after gaining access. 

The company’s operations have not been impacted by the attack and the unauthorized access “was terminated as quickly as possible.”

No cybercriminals have come forward to claim the attack. Customers will be contacted directly by Odido if they are impacted. 

The statement includes several scenarios outlining how cybercriminals could use the information they stole. They warned victims that hackers could contact victims posing as Odido officials and use the information to verify their legitimacy. Some may send phishing emails made to look like Odido communications. 

Odido has about 7 million customers and has changed names several times over the last decade, including a recent run as T-Mobile Netherlands from 2021 to 2023. 

Cyberattacks on large national telecoms have roiled several countries in recent months. South Korea’s major mobile carrier, SK Telecom, told shareholders in November that recovery costs and other losses tied to a recent data breach led to a 90 percent drop in operating profit for the third quarter. The breach exposed the personal data of about 27 million customers. 

Last month, French regulators fined a French telecom giant Free SAS and sister company Free Mobile $42 million for an incident that exposed the personal data, including international bank account numbers, of 24 million subscribers.