Odido Confirms Major Breach, 6.5 Million Dutch Customer Records Found on Dark Web

The Netherlands’ biggest telecom provider, Odido, reportedly just got hacked. A threat actor made off with the personal data of 6.5 million people.

That’s roughly a third of the entire country. And here’s the kicker, we don’t even know who did it yet.

Details of the Alleged Data Leak

According to a February 12 post on X, the alleged Odido data breach exposed a terrifyingly complete set of personal details. We’re talking names, home addresses, full IBAN, birthdates, emails, and scanned passport or national ID numbers.

That’s not just spam-fodder; it’s full-identity theft fuel. If someone got their hands on your IBAN or scanned your ID? They can open bank accounts. Apply for loans. Or just sell the whole package to someone else who will commit the fraud.

Odido hasn’t said which systems were hit. Or when, or who’s behind it. The company also hasn’t named the threat actor or group behind it. All we know is this: the data of 6.5 million people is probably floating around some random criminal channels right now.

Odido’s Previous Woes

This isn’t Odido’s first security trouble. Last October, the Dutch Authority for Digital Infrastructure, RDI for short, fined them €1.52 million (approximately over 1.8 million USD). The reason? They found major security lapses in the company’s wiretapping system.

Investigators looked into it, and what they found? Very alarming, Odido had zero mandatory security plan. Also, no proper screening of employees who access the wiretap system. Some staff either didn’t have job descriptions or any signed confidentiality agreements. And a lot of them never handed over a Certificate of Good Conduct.

Here’s another really alarming part. Third-party vendors could connect to the system remotely. Meaning, they could get their hands on state secrets and sensitive criminal case files.

The RDI didn’t mince words; it said sensitive interception data wasn’t locked down the way it should’ve been. They eventually fixed the vulnerabilities. But the fine stayed—as a warning, basically.

Then again, earlier, in July last year, Odido had a nationwide outage. Hours of cell service were lost, and customers couldn’t use their phones nor put calls. Simpel and Ben— two other brands under the Odido umbrella- went dark, too.

The company said it wasn’t a cyberattack; just an emergency repair that… spiraled. But with today’s news, though? It’s telling us their technical woes didn’t end after that outage.

Implications of the Breach and What’s Next

Here’s the hard truth: data like this doesn’t just sit around. It gets traded.

On the dark web? A clean Dutch passport scan with a verified IBAN is premium stock. Hackers sell these in bulk. Identity fraud rings buy them up.

This illicit economy operates on specialized criminal hosting infrastructure, which authorities are actively targeting; in a recent operation, Dutch police successfully dismantled a major provider of such services, disrupting the digital foundations that enable these data markets to function.

Then there are phishing gangs. They know exactly which Odido customer to call. What bank do they use? How to sound legit when they call.

Affected customers should expect a wave of highly personalized scams in the coming weeks. Emails with your actual address in them. Texts that claim they’re Odido support and quote your real customer ID.

For now, Odido’s job is to investigate how deep this incident goes and whether the intruder is still inside. But honestly? The company’s reputation is already at stake. As a telecom provider, you can’t store ID docs and bank details of millions of people, lose them, and still have people trust you, especially not six months after a huge fine for sloppy security.

Regulators will be watching. And for the 6.5 million people caught in the middle of this? The next few months will mean watching their bank accounts a little closer.