Dutch Telecom Giant Odido Hit by "Mega-Breach": 6.2 Million Records Exposed

Dutch Telecom Giant Odido Hit by "Mega-Breach": 6.2 Million Records Exposed

In what is being described as one of the largest data security failures in Dutch history, telecommunications provider Odido (formerly T-Mobile Netherlands) has confirmed a massive data breach impacting approximately 6.2 million customers.

The breach, which was detected over the weekend of February 7–8, 2026, has sent shockwaves through the European telecom sector, raising critical questions about the security of third-party CRM integrations and the long-term retention of customer data.

The Attack Vector: A "Classic" Application Layer Hit

Initial investigations suggest the breach did not target Odido’s core network infrastructure.

Instead, threat actors gained unauthorized access to a customer contact system.

Technical reports indicate the attackers likely exploited a vulnerability in a web-facing application (mapped to MITRE ATT&CK technique T1190) or utilized compromised valid accounts (T1078).

Some industry reports point toward a Salesforce environment as the specific point of entry, potentially compromised through a combination of social engineering and credential stuffing.

Once inside, the attackers were able to download a significant repository of Personally Identifiable Information (PII).

What Was Stolen?

While Odido was quick to clarify that passwords, call logs, and billing data remain secure, the "haul" of PII is extensive enough to fuel identity theft and spear-phishing campaigns for years to come.

The compromised data includes:

• Full names and home addresses
• Email addresses and mobile phone numbers
• Dates of birth
• IBAN (Bank Account Numbers)
• Passport and Driver’s License numbers (including validity dates)

"Most organizations don't treat their contact and support platforms as critical infrastructure, but that's where customer data lives," noted Aaron Colclough, VP of Operations at Suzu Labs, in a statement regarding the incident.

The "Ghost Data" Controversy

A particularly concerning detail emerged following the breach: many affected individuals were no longer Odido customers.

Reports indicate that some victims had switched providers 5 to 10 years ago, yet their sensitive data, including passport numbers, remained on Odido’s servers.

This has sparked a debate over GDPR compliance and the "right to be forgotten," as the company’s stated policy is typically a two-year retention period.

Hacklido’s Take: The Security Breakdown

For the cybersecurity community, this breach serves as a stark reminder of several "failing" points:

• Lateral Movement & Segmentation: The ability for attackers to extract millions of records from a "contact system" suggests a lack of granular access controls and monitoring for bulk data exports.
• The CRM Weak Link: Customer Relationship Management (CRM) tools are often the "soft underbelly" of major corporations—highly accessible by design but frequently under-secured compared to core databases.
• Data Minimization Failures: Storing passport data for former customers from a decade ago is a ticking time bomb. If you don't need the data, delete it.

Team Hacklido ❤️
Join our Community – https://t.me/hacklido