Data of ministers, protected individuals found in massive Odido hack affecting millions

Personal data belonging to four Dutch ministers, a senior intelligence service employee, three individuals under government protection, and more than 16,000 people working in vital or strategic sectors—including employees at companies such as ASML, Damen, and Philips—has been found in the massive Odido data breach, days after hackers published the full cache of stolen customer data online, according to investigations by RTL and Follow the Money.

The hackers breached Odido’s systems in early February and stole personal data linked to at least 6.2 million accounts belonging to current and former customers. The stolen information included names, addresses, bank account numbers, and identification document numbers. The group, ShinyHunters, initially demanded about 1 million euros to prevent the data from being released, later lowering the demand to 500,000 euros. Odido refused to pay, saying it would “not allow itself to be blackmailed,” citing advice from police and cybersecurity firms.

The leaked records reportedly include data linked to employees of several major Dutch technology and defense-related companies. Follow the Money identified data belonging to 288 current or former employees of semiconductor company NXP, 110 from chip machine manufacturer ASML, 18 from shipbuilder Damen, and 16 from defense company Thales. The largest number of exposed employee records came from Philips, with 1,276.

Phone numbers were available for 13,271 people, passport numbers for 4,862, birth dates for 5,700, bank account numbers for at least 1,386, and home addresses for 1,366.

RTL reported that the dataset also contains personal information tied to four ministers and three people who currently receive government security protection. The data includes email addresses, phone numbers, and passport details, as well as the home address of one protected individual.

The leak also contains information linked to state secretaries, members of parliament, and a senior employee of an intelligence service. Sources told RTL that officials in The Hague reacted with alarm to the findings. A government spokesperson said authorities “do not comment on the involvement of any potential data belonging to ministers in this leak.”

Some people within the national protection system reportedly said they had not been informed by Odido that their information might have been exposed. “I really didn’t know this,” said one protected individual. “I’m going to take extra measures.” The person’s home address was among the leaked data.

Another protected individual told the newspaper that they had not received an email or phone call from Odido. A third person who receives daily security said they had only received a general email about the breach and had heard nothing further for weeks. Odido said it would not comment while the investigation is ongoing.

Cybersecurity expert Sijmen Ruwhof told RTL that the exposure of personal data belonging to ministers and protected individuals has national security implications. “When personal data of ministers and protected persons leaks, it touches on national security interests,” Ruwhof said. “Leaked data increases the chance of targeted intimidation and successful hacking attacks. For this group of people the threat profile is considerably higher than for ordinary citizens. Even if only one home address is now on the internet, it remains a very serious physical security issue. You cannot remove it anymore.”

A spokesperson for the National Coordinator for Security and Counterterrorism (NCTV), responsible for the security of protected individuals, said authorities are monitoring the situation.

“This gives those involved an unpleasant and possibly worrying feeling,” the spokesperson said. “We are aware of the situation and are closely monitoring it. We anticipate the current situation and, where necessary, take appropriate measures.”

Authorities warn that the leaked data is now widely circulating on the open internet, increasing the risk of misuse. Messages referring to the Odido breach are also being shared on social media, and both downloading and distributing the leaked data is illegal.

Police are now conducting a criminal investigation under the direction of the National Public Prosecutor’s Office, according to State Secretary for Digital Economy Willemijn Aerdts. Regulators — the Netherlands Inspectorate for Digital Infrastructure and the Dutch Data Protection Authority — will determine whether Odido had sufficient security measures in place to prevent the cyberattack.

The full dataset has also been added to the website Have I Been Pwned, which experts recommend for checking whether personal data has been compromised. In the Netherlands, people can also check through the police website Check Je Hack whether their Odido data was included in the breach.

Odido has meanwhile faced criticism from customers over its communication about the incident. Some say they received only a single email about the breach in early February.