Stolen Odido data worth “gold” for criminals

The stolen data from Dutch telecom provider Odido are worth “gold” for criminals, experts said, after a breach exposed information from 6.2 million accounts—one of the largest ever reported in the Netherlands. Odido began notifying customers at 12 p.m. Thursday after identifying which data may have been accessed for each account.

It is not yet clear how many people were affected. Odido said the stolen information may differ per customer, and the investigation is ongoing.

Ethical hacker Sijmen Ruwhof said the combination of data exposed is unusual. “I can’t think of a company from which so much data has leaked,” he told NOS. Hackers obtained standard personal details and IBAN bank account numbers, which Ruwhof said is uncommon. “They also managed to copy passport or driver’s license numbers. And that combination is quite unique; these are extremely sensitive personal data.”

According to Odido, the stolen information may include full name; address and city; mobile phone number; customer number; email address; IBAN; date of birth; and identification details, including passport or driver’s license numbers and their validity. Data not stolen include passwords for “My Odido,” call logs, location data, billing information, and scans of ID documents.

Ruwhof warned that criminals could use the stolen data to commit highly convincing fraud. “With personal data, criminals can send messages that look exceptionally real,” he said. “Such emails or text messages can include your actual details while pretending to be a legitimate company.” Victims could be tricked into entering passwords on fake websites. “If you enter your password there, it is sent to criminals, giving them even more access to your life.”

He also noted criminals could impersonate victims when calling companies. “You often have to answer a few questions, such as the last three digits of your bank account number, your postal code, and your date of birth, to authenticate yourself,” he said. “That risk is certainly present. Criminals can pose as you without contacting you, take out contracts, and commit other forms of fraud.”

Ethical hacker Matthijs Koot said the leak could increase helpdesk fraud, bank fraud, and other scams. He described the stolen data as a valuable resource for hostile intelligence services, noting they could map phone numbers and addresses of politicians or track employees of government agencies, energy companies, and ports.

Ruwhof said the breach shows Odido lacked control when the data were stolen. “Six million records leaking is enormous. At the moment the data was stolen, the cybersecurity department should have intervened,” he said. He added that the data could be sold or used to extort the company. Odido declined to comment on whether hackers had made demands.

Experts also said the leak could help stalkers and doxxers locate victims. Koot added that criminals, including drug offenders, could use the information to identify other criminals who use regular phone subscriptions. “A data leak like this is truly one of the worst horror scenarios,” he told NOS.

Odido CEO Tisha van Lammeren said the company only began notifying customers after identifying the affected information. “You don’t want to share incorrect information,” she said, adding that notifying millions of customers is time-consuming. She declined to comment on the adequacy of the company’s security or whether the hackers had made any demands. “The safety of our customers is our top priority. That this happens shows how cunning cybercriminals are.”