Odido Data Breach Exposes 6.2 Million Dutch Telecom

Netherlands' Largest Mobile Operator Breached

Odido, the Netherlands' largest mobile network operator (formerly T-Mobile Netherlands), has disclosed a massive data breach affecting 6.2 million customers, including subscribers of its Ben mobile brand. The breach, detected over the weekend of February 7-8, 2026, exposed highly sensitive personal and financial information.

What Was Exposed

Data Type	Risk Level
Full names	High
Home addresses	High
Email addresses	High
Phone numbers	High
Dates of birth	High
Bank account numbers (IBAN)	Critical
Identity document details	Critical

The exposure of bank account numbers and identity documents makes this breach particularly dangerous, enabling identity theft, financial fraud, and targeted social engineering attacks.

Breach Timeline

Feb 7-8    — Odido detects unauthorized access to customer database
Feb 9      — Internal investigation confirms scope of breach
Feb 10-11  — Forensic analysis determines 6.2 million customers affected
Feb 12-13  — Odido publicly discloses the breach

Impact Assessment

Scale

With 6.2 million affected customers, this is one of the largest data breaches in Dutch history. The Netherlands has a population of approximately 17.8 million, meaning roughly 1 in 3 Dutch residents could be affected.

Who Is Affected

Odido mobile subscribers (current and recent former customers)
Ben mobile subscribers (Odido's budget mobile brand)
Both prepaid and postpaid customers

Financial Data Exposure

The inclusion of IBAN bank account numbers is particularly concerning because:

IBANs can be used for unauthorized direct debit transactions in the SEPA (Single Euro Payments Area) zone
Combined with names and addresses, attackers can create convincing impersonation attempts for bank fraud
Dutch banks may need to implement additional monitoring for affected accounts

Identity Document Exposure

The exposure of identity document details enables:

Identity theft — Opening accounts, loans, or services in victims' names
Government service fraud — Accessing tax, benefits, or healthcare systems
International travel fraud — Depending on the level of document detail exposed

Current Status

As of publication, the stolen data has not yet been published on dark web forums or leak sites. However, security researchers warn that:

Data may appear for sale on underground markets in the coming weeks
Targeted phishing campaigns impersonating Odido are expected
Affected customers should assume their data is in hostile hands

Recommendations for Affected Customers

Immediate Steps

Monitor bank accounts — Watch for unauthorized direct debits or transactions referencing your IBAN
Contact your bank — Inform them of the breach and request enhanced monitoring
Be wary of phishing — Expect emails, calls, and texts impersonating Odido or your bank
Enable account alerts — Set up notifications for all banking transactions
Report identity fraud — If you notice suspicious activity, report to the Dutch police and the Identity Fraud Helpdesk (Centraal Meldpunt Identiteitsfraude)

Long-Term Protection

Monitor credit reports — Check for accounts opened in your name via BKR (Bureau Krediet Registratie)
Use unique passwords — Ensure your Odido and banking passwords are unique
Enable 2FA everywhere — Especially on banking and government service accounts
Consider identity monitoring — Services that watch for your data on dark web markets

Regulatory Implications

Under the GDPR, Odido faces potential fines of up to 4% of annual global revenue from the Dutch Data Protection Authority (Autoriteit Persoonsgegevens). The exposure of financial and identity data — considered special category data — is likely to result in significant regulatory scrutiny.

Odido has confirmed it has notified the Autoriteit Persoonsgegevens as required under GDPR Article 33 (72-hour notification requirement).

Sources

Netherlands' Largest Mobile Operator Breached

What Was Exposed

Data Type	Risk Level
Full names	High
Home addresses	High
Email addresses	High
Phone numbers	High
Dates of birth	High
Bank account numbers (IBAN)	Critical
Identity document details	Critical

The exposure of bank account numbers and identity documents makes this breach particularly dangerous, enabling identity theft, financial fraud, and targeted social engineering attacks.

Breach Timeline

Feb 7-8    — Odido detects unauthorized access to customer database
Feb 9      — Internal investigation confirms scope of breach
Feb 10-11  — Forensic analysis determines 6.2 million customers affected
Feb 12-13  — Odido publicly discloses the breach

Impact Assessment

Scale

Who Is Affected

Odido mobile subscribers (current and recent former customers)
Ben mobile subscribers (Odido's budget mobile brand)
Both prepaid and postpaid customers

Financial Data Exposure

The inclusion of IBAN bank account numbers is particularly concerning because:

IBANs can be used for unauthorized direct debit transactions in the SEPA (Single Euro Payments Area) zone
Combined with names and addresses, attackers can create convincing impersonation attempts for bank fraud
Dutch banks may need to implement additional monitoring for affected accounts

Identity Document Exposure

The exposure of identity document details enables:

Identity theft — Opening accounts, loans, or services in victims' names
Government service fraud — Accessing tax, benefits, or healthcare systems
International travel fraud — Depending on the level of document detail exposed

Current Status

As of publication, the stolen data has not yet been published on dark web forums or leak sites. However, security researchers warn that:

Data may appear for sale on underground markets in the coming weeks
Targeted phishing campaigns impersonating Odido are expected
Affected customers should assume their data is in hostile hands

Recommendations for Affected Customers

Immediate Steps

Monitor bank accounts — Watch for unauthorized direct debits or transactions referencing your IBAN
Contact your bank — Inform them of the breach and request enhanced monitoring
Be wary of phishing — Expect emails, calls, and texts impersonating Odido or your bank
Enable account alerts — Set up notifications for all banking transactions
Report identity fraud — If you notice suspicious activity, report to the Dutch police and the Identity Fraud Helpdesk (Centraal Meldpunt Identiteitsfraude)

Long-Term Protection

Monitor credit reports — Check for accounts opened in your name via BKR (Bureau Krediet Registratie)
Use unique passwords — Ensure your Odido and banking passwords are unique
Enable 2FA everywhere — Especially on banking and government service accounts
Consider identity monitoring — Services that watch for your data on dark web markets

Regulatory Implications

Odido has confirmed it has notified the Autoriteit Persoonsgegevens as required under GDPR Article 33 (72-hour notification requirement).

Odido Data Breach Exposes 6.2 Million Dutch Telecom

Netherlands' Largest Mobile Operator Breached

What Was Exposed

Breach Timeline

Impact Assessment

Scale

Who Is Affected

Financial Data Exposure

Identity Document Exposure

Current Status

Recommendations for Affected Customers

Immediate Steps

Long-Term Protection

Regulatory Implications

Sources

23andMe $47 Million Settlement Approved for 7 Million Breach Victims

Japanese Energy Firm Loses Drive with Data of 10.9 Million Clients

Maine Breach Portal Abused to Publish Fake Data Breach Disclosures

Odido Data Breach Exposes 6.2 Million Dutch Telecom

Netherlands' Largest Mobile Operator Breached

What Was Exposed

Breach Timeline

Impact Assessment

Scale

Who Is Affected

Financial Data Exposure

Identity Document Exposure

Current Status

Recommendations for Affected Customers

Immediate Steps

Long-Term Protection

Regulatory Implications

Sources

23andMe $47 Million Settlement Approved for 7 Million Breach Victims

Japanese Energy Firm Loses Drive with Data of 10.9 Million Clients

Maine Breach Portal Abused to Publish Fake Data Breach Disclosures

Netherlands' Largest Mobile Operator Breached

What Was Exposed

Breach Timeline

Impact Assessment

Scale

Who Is Affected

Financial Data Exposure

Identity Document Exposure

Current Status

Recommendations for Affected Customers

Immediate Steps

Long-Term Protection

Regulatory Implications

Sources

Related Reading

Netherlands' Largest Mobile Operator Breached

What Was Exposed

Breach Timeline

Impact Assessment

Scale

Who Is Affected

Financial Data Exposure

Identity Document Exposure

Current Status

Recommendations for Affected Customers

Immediate Steps

Long-Term Protection

Regulatory Implications

Sources

Related Reading