Hackers Stole Passport Numbers and Bank Details From 6.2 Million Dutch Telecom Customers

The Breach

Odido detected the intrusion on February 7, 2026. Attackers had breached the company's customer contact system, a platform used by support agents to manage account inquiries, billing issues, and service requests. The system contained detailed personal records for the majority of Odido's customer base.

The company disclosed the breach publicly on February 12, five days after detection. Odido reported the incident to the Dutch Data Protection Authority, known as the Autoriteit Persoonsgegevens, and engaged external cybersecurity experts to investigate the scope and method of the attack.

Odido has not disclosed how attackers gained access to the customer contact system or how long they had access before detection. The company stated that phone, internet, and television services were not disrupted during or after the breach.

What Was Stolen

The stolen data is extensive and includes some of the most sensitive categories of personal information that a telecom provider holds. Confirmed compromised data includes:

• Full names
• Phone numbers
• Postal addresses and email addresses
• Dates of birth
• Bank account numbers (IBAN)
• Government issued ID details, including passport numbers, driver's license numbers, and validity dates

The presence of IBAN numbers and government identification details makes this breach particularly dangerous. Unlike passwords, which can be changed, or credit card numbers, which can be reissued, passport numbers and bank account details are difficult or impossible to replace quickly. These identifiers can be used for financial fraud, identity theft, and social engineering attacks for years after the initial breach.

The Scale

The Netherlands has approximately 18 million residents. With 6.2 million customer records compromised, the Odido breach affects roughly one in three Dutch residents. In a country of that size, a breach this large means that a significant portion of the adult population now has their passport number, bank account details, and personal information in the hands of attackers.

To put this in perspective, the breach is proportionally equivalent to a US telecom losing the personal records of over 110 million customers. It is one of the largest data breaches in Dutch history and among the most significant telecom breaches in Europe.

The scale creates a national level problem. When one in three residents is affected, the breach becomes a systemic risk rather than an individual one. Banks, government agencies, and other institutions that rely on the compromised identifiers for verification will need to account for the fact that this data is now potentially in circulation.

What Wasn’t Compromised

Odido confirmed that several categories of data were not accessed during the breach. Account passwords were not stored in the compromised system and remain secure. Call logs, text message records, and browsing history were not part of the customer contact database. Billing information beyond IBAN numbers, such as payment histories and outstanding balances, was also not affected.

The company emphasized that its core network infrastructure, the systems that deliver phone, internet, and television services, was not compromised. Customers did not experience service disruptions, and there is no indication that the attackers gained access to communications content or network traffic.

However, the data that was stolen is arguably more valuable to attackers than call logs or browsing history. Government IDs and bank account numbers are the building blocks of identity fraud, and they retain their value long after the breach itself has been remediated.

The Phishing Risk

The combination of data stolen in the Odido breach creates ideal conditions for targeted phishing attacks. Attackers who know a person's name, date of birth, address, phone number, email, and bank account number can craft extremely convincing messages that appear to come from banks, government agencies, or Odido itself.

A phishing email that includes your correct IBAN, references your actual address, and addresses you by name is far more likely to succeed than a generic scam message. Affected customers should expect an increase in targeted phishing attempts via email, text message, and phone calls in the months following the breach.

The stolen government ID details add another layer of risk. Attackers can use passport numbers and driver's license information to pass identity verification checks, potentially opening new accounts, redirecting mail, or accessing services that use these identifiers for authentication.

Odido’s Response

Odido reported the breach to the Dutch Data Protection Authority as required under the European Union's General Data Protection Regulation. The company engaged external cybersecurity firms to conduct a forensic investigation and assist with remediation. Affected customers were notified and advised to monitor their accounts for suspicious activity.

The company has not disclosed whether a ransom was demanded or whether the stolen data has appeared on underground forums. Odido also has not confirmed the identity of the attackers or the specific vulnerability that was exploited to access the customer contact system.

Under GDPR, Odido faces potential fines of up to four percent of its annual global revenue if regulators determine that the company failed to implement adequate security measures. The Dutch Data Protection Authority has been increasingly active in enforcing data protection requirements, and a breach of this magnitude is likely to receive significant regulatory scrutiny.

Telecom Breaches Are Getting Worse

The Odido breach is part of a worsening trend of attacks against telecommunications providers worldwide. Telecom companies are uniquely attractive targets because they hold enormous volumes of personal data, operate complex legacy systems, and serve as critical infrastructure that cannot easily be taken offline for security upgrades.

In the past two years alone, major telecom breaches have affected providers across the United States, Australia, Thailand, and now the Netherlands. T-Mobile, Odido's former parent brand, has itself been breached multiple times in recent years, suggesting that the industry as a whole struggles with securing the customer data it collects.

The pattern is clear. Telecom companies collect more personal information than almost any other type of business, including government IDs submitted for account verification, bank details for billing, and contact information for service delivery. When these systems are breached, the consequences are severe and long lasting.

What This Means

The Odido breach is a reminder that the data companies collect during routine business operations can become a liability of extraordinary proportions. A customer contact system, the kind of platform used to handle billing questions and service requests, contained enough personal information to compromise the identities of one third of the Dutch population.

For the 6.2 million affected individuals, the immediate risk is targeted phishing and identity fraud. The long term risk is that passport numbers and bank account details circulate through criminal networks for years, surfacing in fraud attempts that may seem unconnected to the original breach.

The Odido breach underscores a fundamental problem with how telecom companies handle personal data. They collect it because their business requires it. They store it because regulations require retention. And when attackers breach their systems, the damage affects millions of people who had no choice but to hand over their most sensitive information to get a phone plan.