What Happened
In February 2026, Dutch telecommunications provider Odido (formerly T-Mobile Netherlands and Tele2) suffered a cyberattack detected over the February 7 weekend, where hackers breached its customer contact system (CRM environment) and stole personal data of approximately 6.2 million customers—about a third of the Netherlands’ population, including former customers from the past two years. The exposed information varied by customer but included full names, addresses, mobile numbers, email addresses, customer numbers, IBAN bank account numbers, dates of birth, and government ID details such as passport or driver’s license numbers and validity dates, along with customer service notes; notably, passwords, call logs, billing data, location info, and ID scans were unaffected, and business customers and core services like phone, internet, and TV remained operational. Odido promptly blocked access, notified affected customers via email/SMS, reported the incident to the Dutch Data Protection Authority, engaged external experts for mitigation and monitoring, and published an FAQ; threat actors attempted extortion, and around 6 million unique email addresses were later published in four data releases.
