Historic Cyberattack in the Netherlands: Data Leak of 6.2 Million Odido Customers

In February 2026, one of the most serious cybersecurity incidents in the recent history of the European telecommunications sector came to light: the Dutch company Odido confirmed that it had suffered a massive cyberattack that compromised the personal information of approximately 6.2 million customers. Highly sensitive data, such as full names, addresses, phone numbers, bank accounts (IBAN), and official document numbers were exposed, generating a wave of concern among users, regulatory authorities, and digital security experts across Europe.

The incident not only represents a significant blow to the company's reputation, but it also underscores the growing threats faced by companies that store large volumes of personal information. In a context where digitalization is advancing rapidly, corporate databases have become priority targets for increasingly sophisticated criminal groups.

The Business Context: Who is Odido?

Odido is one of the main telecommunications operators in the Netherlands, and Odido has become a central brand within the Dutch market since its creation. Odido was officially founded in 2023 following the rebranding and consolidation of T-Mobile Netherlands and Tele2 Netherlands operations. 

Before becoming Odido, these operations were owned by Deutsche Telekom but later passed into the hands of a private investment consortium led by Apax Partners and Warburg Pincus. With this transition, Odido left behind the old corporate identity to position itself as a new strategic phase in the sector.

After the brand transition, Odido quickly consolidated its national presence and managed to gather a customer base of around seven to eight million users in mobile telephony, broadband internet, and television services. Odido has sought to differentiate itself through aggressive commercial strategies and significant investment in digital infrastructure. 

In the Dutch market, Odido competes directly with industry giants such as KPN and VodafoneZiggo, placing Odido at the center of intense competition for market share, technological innovation, and customer loyalty. Due to its size and relevance, any security incident affecting Odido has implications not only for Odido as a company but also for the national digital ecosystem in which Odido operates. 

Odido’s market position implies that the company’s strategic decisions, as well as the challenges it faces, directly affect millions of users and the general perception of the telecommunications sector in the Netherlands.

Discovery of the Cyberattack and Initial Measures

The cyberattack was detected in early February 2026, when Odido identified unauthorized activity in one of its internal systems related to customer data management. From the beginning, Odido recognized that the cyberattack represented a serious incident for both Odido and the security of the data stored by Odido. According to official information provided by Odido, the unauthorized access occurred in a database used for administrative management and customer service, making the cyberattack a particularly sensitive issue for Odido.

Once the cyberattack was confirmed, Odido immediately activated its incident response protocols to contain the attack and limit its impact on its systems. Odido blocked the unauthorized access linked to the attack and hired external cybersecurity experts to investigate the extent of the cyberattack within Odido’s infrastructure. Additionally, Odido notified the competent authorities about the incident and began informing customers potentially affected by the breach, emphasizing that Odido was actively working to mitigate the consequences of the attack.

Odido publicly assured that, despite the cyberattack, Odido’s telecommunications services—calls, messages, and internet access—continued to function normally during and after the attack. According to Odido, the attack focused on extracting information stored in Odido’s systems and not on operational disruption of Odido’s network. Nevertheless, both Odido and security experts agreed that the attack represents one of the most delicate episodes in Odido’s recent history.

What Information Was Compromised?

The magnitude of the incident affecting Odido lies in the type of data exposed in the cyberattack. The cyberattack against Odido was not only extensive in the number of records but also deep in the nature of the information compromised. Among the data potentially affected in the attack are:

• Full name
• Postal address
• Phone number
• Email address
• Date of birth
• Bank account number (IBAN)
• Passport or driver’s license number

The cyberattack put at risk highly sensitive information that Odido stored for administrative and contractual purposes. Not all fields were present in every affected record, as the information managed by Odido varies depending on the customer profile and the type of service contracted with Odido. However, even a partial combination of the leaked data can be extremely valuable for cybercriminals seeking to exploit information obtained from Odido’s systems. After the attack, Odido clarified that certain critical elements were not affected, including:

• Account access passwords
• Call records
• Consumption history
• Location data
• Direct credit card information

According to Odido, the cyberattack did not compromise stored passwords or communication history. Still, the fact that basic identifying information was exposed makes the incident a considerable risk. Although the absence of passwords reduces the immediate risk of direct access to Odido accounts, the combination of personal data obtained could be sufficient to facilitate sophisticated fraud, identity theft attempts, or social engineering campaigns specifically targeting Odido customers after the cyberattack.

Current and Former Customers: A Broader-than-Expected Database

One of the most controversial aspects of the Odido cyberattack was that it affected not only active customers but also former users whose contracts had ended years ago. The breach revealed that some of the compromised data belonged to individuals who had stopped being Odido customers up to a decade earlier, considerably amplifying the impact and historical scope of the stored information.

This aspect immediately sparked a debate about Odido’s data retention policies and how the company manages personal information in the long term. Under the European Union’s General Data Protection Regulation (GDPR), companies like Odido must apply the principles of minimization and limit the storage of personal information to the time strictly necessary. The cyberattack raised questions about whether Odido had strictly applied these principles before the breach.

The presence of old Odido data in active systems at the time of the attack suggests potential deficiencies in implementing these policies. While Odido may be legally or fiscally required to retain certain information, the attack demonstrates that maintaining large databases for long periods increases risk for both the company and affected individuals. In this context, the cyberattack not only exposed data but also highlighted the need to review how Odido stores, manages, and deletes personal information over time to reduce the impact of future attacks.

Social Engineering: The Human Link

Preliminary investigations indicated that the cyberattack on Odido was not the result of a particularly complex technical vulnerability but rather a carefully planned social engineering operation to penetrate Odido’s systems. The attack did not necessarily rely on exploiting advanced software flaws but on manipulating people within Odido to gain access.

According to early analyses, attackers likely tricked Odido employees with access to critical internal systems, possibly through highly personalized phishing campaigns targeting Odido staff. This type of attack typically involves impersonating legitimate communications—for example, messages appearing to come from Odido’s IT department or official suppliers—to obtain system credentials or install malware facilitating the attack.

Once inside Odido’s corporate environment, the attackers could move laterally through the internal infrastructure until locating sensitive databases. This pattern is characteristic of social engineering-based attacks: initial access is obtained through deception, and then the breach expands within the affected organization—in this case, Odido.

The attack highlights a widely recognized fact by security experts: the human factor remains the most vulnerable point in many organizations, including Odido. Even when Odido has technically robust systems, an attack can succeed if ongoing training is lacking or if information overload leads to critical mistakes. In this sense, the attack exposed not only Odido’s data but also the structural limitations any organization may face against a well-designed cyberattack.

Regulatory Reaction and Possible Legal Consequences

Following confirmation of the cyberattack, Odido formally notified the Dutch Data Protection Authority, the Autoriteit Persoonsgegevens, in compliance with the obligations established by the General Data Protection Regulation (GDPR). Odido’s notification of the cyberattack was a mandatory step within the European legal framework, especially given the magnitude of the attack and the volume of data compromised at Odido. Under this regulatory framework, companies like Odido must, in the event of a cyberattack:

• Notify security breaches within a specified period after detecting the cyberattack.
• Inform affected individuals when the cyberattack represents a significant risk to their rights and freedoms.
• Implement immediate corrective measures to contain the cyberattack and prevent new incidents at Odido.

The GDPR establishes that fines can reach up to 4% of a company’s global annual turnover in the case of serious violations related to a cyberattack or inadequate management of personal data. If investigations into the cyberattack determine that structural deficiencies existed in Odido’s data protection or in Odido’s data storage policies prior to the attack, Odido could face significant sanctions as a direct consequence of the cyberattack.

Beyond possible fines resulting from the cyberattack, Odido could also face class-action lawsuits if those affected by the attack can demonstrate economic harm resulting from the misuse of their information leaked during the cyberattack. In this scenario, the impact of the cyberattack on Odido would not be solely regulatory, but also financial and reputational, extending the consequences of the attack far beyond the initial technical incident.

Concrete Risks for Users

The exposure of personal data resulting from the Odido cyberattack carries significant risks for Odido’s customers and for Odido’s reputation as a company. The attack revealed sensitive information of millions of Odido users, increasing the likelihood that criminals will attempt to exploit this data in various fraud schemes specifically targeting Odido customers.

With full names, dates of birth, and document numbers leaked in the attack, criminals could attempt to open bank accounts or subscribe to services in the names of Odido victims, creating a direct risk for users affected by the cyberattack.

Although credit card data was not compromised in the Odido cyberattack, the exposure of bank account numbers (IBAN) facilitates fraud attempts through additional deception to obtain verification codes or authorizations. This type of targeted fraud directly affects Odido customers and the trust that users place in Odido.

Attackers could use the information obtained in the Odido cyberattack to send highly convincing messages that include real customer data. This strategy greatly increases the probability of success of phishing campaigns specifically directed at Odido users.

With personal data obtained from the cyberattack, criminals could attempt to convince operators to transfer Odido customers’ phone numbers to new SIM cards controlled by them. This technique allows interception of two-step authentication codes and compromises the security of multiple services associated with the numbers managed by Odido.

Overall, these risks arise directly from the Odido cyberattack and underscore the need for Odido to implement additional measures to protect its customers from the consequences of the attack. The magnitude of this cyberattack highlights the vulnerability of personal data within Odido and the importance of strengthening both technical systems and user education about potential threats resulting from the attack.

A Structural Problem in the Sector

The case of the Odido cyberattack is not isolated. The telecommunications sector, and Odido in particular, is especially attractive to cybercriminals due to the volume and quality of information managed by Odido. Companies like Odido hold identification data, financial information, and contact records that can be exploited in multiple ways by criminals after a cyberattack, increasing the importance of security within Odido.

Additionally, companies like Odido operate critical infrastructures, making Odido a strategic target for both organized crime and state-sponsored actors. Odido’s relevance in the national Dutch infrastructure amplifies the consequences of any cyberattack, making the protection of Odido’s systems a priority for the sector and regulators.

The increasing sophistication of cyberattacks against Odido requires continuous investment not only in technology but also in Odido’s organizational security culture. Regular audits, penetration testing, and internal phishing simulations are becoming standard practices within Odido and other high-profile companies in the sector. These measures are essential to reduce Odido’s vulnerability to future cyberattacks and to ensure that Odido customers’ information remains protected against the most advanced threats.

The leak affecting 6.2 million Odido customers marks a turning point in the European cybersecurity landscape in 2026. The cyberattack demonstrates that even large operators like Odido, with significant resources, can be vulnerable to well-planned and sophisticated attacks.

Although Odido acted quickly to detect the intrusion, the magnitude of the data exposed underscores the importance for Odido to review its storage policies, strengthen internal staff training, and apply strict principles of data minimization. Odido’s experience shows that no system is completely risk-free if technical measures, clear internal procedures, and continuous cybersecurity education are not combined.

For users, the Odido cyberattack is a reminder of the need to remain vigilant against potential fraud, identity theft, or phishing campaigns. For companies, including Odido, it represents a clear warning: in the digital economy, trust is fragile, and the protection of personal data is not only a legal obligation but also an essential commitment to millions of people who entrust their information to corporations every day.

In this context, having specialized cybersecurity and risk management advisory is more important than ever. ITD Consulting services can help companies protect their systems, prevent cyberattacks, and ensure the security of their customers’ data. For more information and to consult about solutions tailored to your needs, write to [email protected].