Odido Telecom Suffers Major Data Breach Exposing 6.2 Million Customer Records

Dutch telecommunications provider Odido has disclosed a significant security incident affecting millions of customer accounts. According to an official company statement released Thursday, unauthorized threat actors successfully infiltrated the organization's customer contact management system and exfiltrated substantial volumes of sensitive customer data.

A company spokesperson confirmed to local media outlets that the breach impacted approximately 6.2 million customers, representing roughly one-third of the Netherlands' total population. The compromised dataset encompasses a wide range of personally identifiable information (PII).

Compromised data elements include:

• Customer full names
• Mobile phone numbers
• Physical mailing addresses
• Email addresses
• Dates of birth
• IBAN bank account numbers
• Government-issued identification details (passport and driver's license numbers with validity dates)

The security incident also affects former subscribers who maintained active services within the previous 24-month period. However, Odido emphasized that certain critical data categories remained secure, including call detail records (CDRs), geolocation data, billing information, and scanned copies of government identification documents.

The breach is limited to consumer accounts, with business customer data remaining unaffected. Both Odido and its subsidiary Ben NL confirmed that core telecommunications infrastructure—including voice, internet, and television services—continued operating without disruption throughout the incident.

This security breach represents the latest in an escalating series of cyberattacks targeting telecommunications infrastructure globally. Threat actors, ranging from nation-state sponsored groups to financially motivated cybercriminal organizations, continue to exploit the vast repositories of sensitive customer information maintained by telecom operators.

Recent intelligence reports indicate that earlier this week, Singaporean authorities confirmed a China-affiliated advanced persistent threat (APT) group had previously compromised four major domestic telecommunications providers as part of a surveillance operation, though customer PII was reportedly not accessed in that campaign.

Concurrently, the sophisticated threat actor cluster identified as Salt Typhoon, linked to Chinese state interests, has demonstrated persistent targeting of telecommunications infrastructure across multiple jurisdictions. Documented compromises include operators in Canada, Norway, the United Kingdom, and the United States, with the FBI confirming at least 200 affected American organizations. These intrusions form part of an extensive espionage campaign focused on intelligence collection targeting senior government officials and diplomatic personnel.

Sources:
Odido Official Statement
NU.nl Report
Ben NL Security Information
UK NCSC Advisory