TL;DR: Dutch telecom giant Odido disclosed on February 13, 2026 that hackers compromised its customer contact system and downloaded personal data on 6.2 million customers, roughly one-third of the Netherlands' entire population. The stolen data includes names, addresses, phone numbers, dates of birth, bank account numbers (IBANs), and passport or driver's license details. Odido claims call records, location data, and ID scans weren't taken. Security researchers aren't buying it. One called the breach "truly one of the worst horror scenarios" and said the data is worth "gold" to criminals.

What Happened

Odido detected something wrong on the weekend of February 7-8, 2026. Hackers had broken into what the company calls a "customer contact system": the kind of database customer service reps access when you call with a billing question.[1]

By the time Odido noticed, the attackers had already downloaded customer data for 6.2 million accounts. That's customers of Odido itself plus Ben, another mobile brand the company owns. The budget carrier Simpel wasn't affected.[2]

CEO Søren Abildgaard said the company "ended unauthorized access as quickly as possible" and brought in external cybersecurity experts. Odido notified the Dutch Data Protection Authority and started sending personalized notifications to affected customers via email and SMS.[2]

The company's services (calls, internet, TV) stayed online throughout. The attack targeted customer data, not infrastructure.

What They Stole

The damage list is ugly:[1][2]

  • Names and addresses (home and email)
  • Phone numbers
  • Dates of birth
  • Bank account numbers (IBANs)
  • Government ID details: passport or driver's license numbers and expiration dates

Odido says the attackers didn't get:[2]

  • Passwords
  • Call or text records
  • Location data
  • Billing information
  • Scanned images of IDs

Whether that's true, or whether Odido just can't prove they were taken, remains unclear. Customer service databases often contain more than companies admit.

"One of the Worst Horror Scenarios"

Dutch security researchers aren't sugarcoating this one.

Ethical hacker Sijmen Ruwhof told NL Times: "I can't think of a company from which so much data has leaked." He called the combination of exposed information "quite unique" and "extremely sensitive."[3]

Matthijs Koot, another ethical hacker, went further: "Truly one of the worst horror scenarios." He pointed out that the data isn't just useful for common fraud: it's valuable to intelligence services who could use it to identify government employees, critical infrastructure workers, and politicians.[3]

Both researchers described the stolen data as worth "gold" to criminals.[3]

What Criminals Do With This Data

The Odido breach gives attackers everything they need to impersonate you convincingly. Experts outlined the likely attack vectors:[3]

Phishing With Real Details

Scammers can craft emails and texts using your actual name, address, phone number, and bank details. When the message already knows who you are, you're more likely to click.

Identity Theft

With passport numbers, dates of birth, and addresses, criminals can answer security questions, open accounts in your name, and pass identity verification at banks and government agencies.

Bank and Helpdesk Fraud

Armed with your IBAN and ID details, attackers can call your bank or phone company, pretend to be you, and authorize transfers or account changes.

Stalking and Doxxing

Home addresses plus phone numbers make harassment campaigns trivial. Abusers and extremists pay for exactly this kind of data.

Security researcher Koot raised another concern: hostile intelligence services could cross-reference the Odido data against job postings and LinkedIn profiles to identify people working in sensitive government roles or critical infrastructure.[3]

Scale in Context

The Netherlands has a population of about 18 million. Odido just exposed data on roughly one in three Dutch residents.[1]

This is one of the largest data breaches in Dutch history. For comparison:

  • The 2020 RDC breach affected 6 million
  • The 2019 Hema breach hit 2 million
  • Odido: 6.2 million accounts, with banking and ID details included

The breach also highlights a persistent problem: customer service systems are often the weakest link. They're accessed by hundreds of employees, contain sensitive data, and rarely get the same security attention as payment systems.

If You're Affected

Odido is sending personalized notifications listing exactly which of your details were exposed. In the meantime:

Watch for Phishing

Expect highly convincing scam calls, texts, and emails. Attackers know your name, address, phone number, and bank. They'll use it.

Monitor Your Bank Account

Your IBAN is out there. Set up transaction alerts. Check for unfamiliar direct debits or transfers. Report suspicious activity immediately.

Consider a Credit Freeze

In the Netherlands, contact BKR to request a fraud alert. This makes it harder for criminals to open accounts in your name.

Report ID Theft Promptly

If your passport or driver's license number was exposed, watch for misuse. Report any identity theft to police and the Dutch Fraudehelpdesk.

Telecoms Keep Getting Hit

Odido joins a long list of telecom breaches in recent months:

  • AT&T's 176 million enriched records circulating since February 2026
  • T-Mobile's $31.5 million FCC settlement (January 2025) for multiple breaches
  • Optus Australia's 10 million customer breach (2022)

Phone companies sit on massive datasets of personal information, and their customer service systems are often the front door for attackers. Social engineering, credential theft, and insider threats all target these systems because they contain exactly what criminals want: identity data, banking details, and personal information verified by a trusted company.

This won't be the last telecom breach. It won't even be the last Dutch one. The question is whether regulators will start treating customer service systems with the same scrutiny they give payment infrastructure.

References

  1. TechCrunch: Dutch phone giant Odido says millions of customers affected by data breach (February 13, 2026)
  2. The Register: Dutch telco Odido admits 6.2M customers affected in breach (February 13, 2026)
  3. NL Times: Stolen Odido data worth "gold" for criminals (February 14, 2026)