Netherlands’ largest leak? Telcom provider Odido breach exposes 6.2 million customers

Hackers infiltrate CRM system of T-Mobile successor; sensitive id data and bank details stolen in massive weekend raid.

In what is being described as one of the largest private data leaks in Dutch history, the telecommunications giant Odido (formerly T-Mobile Netherlands) confirmed on February 12, 2026, that hackers compromised its systems. The breach exposed the personal information of approximately 6.2 million customers, nearly 90% of its entire user base.

The intrusion targeted the company’s Customer Relationship Management (CRM) system over the weekend of February 7–8, allowing attackers to download a massive archive of sensitive subscriber data.

The data dump: More than just phone numbers

While Odido emphasized that core network services remained operational, the sheer depth of the stolen information has put millions at risk of identity theft.

The stolen files include full names, physical addresses, email addresses, phone numbers, and IBAN bank account numbers. Worse still, the breach included government-issued ID details, such as passport and driver’s license numbers, along with their expiration dates.

The company confirmed that passwords, call logs, real-time location data, and full scans of identity documents were not stored in the compromised system and remain secure.

The "silent" intrusion

The breach was not discovered by Odido’s internal security teams until the hackers themselves reached out to the company to brag about the heist.

The timeline

Unauthorized access began on Saturday, February 7. Odido blocked the access shortly after being notified by the threat actors and launched a forensic investigation with external cybersecurity specialists.

Customers of Ben, a popular sub-brand owned by Odido, were also affected by the breach. However, users of the low-budget brand Simpel were reportedly spared.

Odido has formally reported the incident to the Dutch Data Protection Authority (AP), which is now monitoring the company’s response and notification process.

Expert warning: A phishing "goldmine"

Ethical hackers and security analysts are sounding the alarm on the long-term fallout. Because the attackers have both bank account numbers and official ID data, they can craft near-perfect phishing campaigns.

"I can't think of a company that has had so much data leaked in this country," ethical hacker Sijmen Ruwhof told NOS. "With this data, criminals can pose as you to banks or other companies, enter into contracts in your name, or send incredibly convincing fake invoices."

Odido has begun the massive task of emailing all affected customers - a process expected to take several days. They are urging all Dutch residents to be "extra vigilant" for any calls or texts asking for pins or passwords, even if the caller appears to know their private details.