The recent cyberattack at Odido in February 2026, in which the personal data of millions of customers fell into the hands of criminals, once again demonstrates the significant impact data breaches at critical service providers can have. Notably, Odido communicated transparently and swiftly regarding the incident, the potential consequences, and the measures being taken. This openness helps customers and organizations understand risks in a timely manner and take appropriate action. At the same time, this situation introduces new threats for companies that rely on telecommunications services or whose employees are Odido customers.
⚠️ Update: Latest developments (February 17, 2026)
Since the initial report of the data breach at Odido, new details have emerged. Here is what we currently know based on the latest reports:
- Scope and affected data: Odido has confirmed that the data of approximately 6.2 million customers (including its subsidiary brand Ben) has been stolen. This includes names, addresses, dates of birth, IBAN numbers, telephone numbers, and in some cases the numbers and expiration dates of identity documents (passports or driver’s licenses). According to Odido, passwords and call history have remained secure.
- Cause of attack: According to sources close to the investigation, hackers gained access to the Salesforce customer environment through social engineering of employees. Criminals managed to obtain login details and 2FA codes from helpdesk employees, giving them access to the systems.
- Exceeding retention period: Research by the Financieel Dagblad newspaper shows that Odido retained data from former customers for much longer than its own privacy policy allows. Data from customers who had left years ago (sometimes up to 10 years after the end of their contract) was also part of the leak, even though it should have been deleted after two years. The Dutch Data Protection Authority (AP) is investigating this violation.
- Additional security measures: Odido has immediately implemented stricter verification rules. For sensitive changes, such as requesting a new SIM card, additional checks are now carried out to prevent identity fraud (such as SIM swapping).
- Compensation: Although there are many questions about compensation, Odido takes the position that there is no direct financial compensation (yet), unless customers have suffered demonstrable financial damage. Legal experts warn that collective claims in the Netherlands are often a lengthy process.
The consequences for business customers
Based on the information shared by Odido itself, the greatest risk lies not in the continuity of service, but in the potential misuse of leaked personal data. Because data such as names, addresses, contact details, banking information, and in some cases identification data have been stolen, criminals possess strong identity information. This allows them to convincingly impersonate customers, suppliers, or service providers. For organizations, this means an increased risk of targeted social engineering, where attackers attempt to gain trust through familiar communication channels such as telephone, email, or messaging apps.
How can this data breach be exploited?
In data breaches of this nature, exploitation primarily revolves around identity, trust, and access. Because the leaked data contains sensitive personal information (contact details, IBAN, potentially ID data), criminals can present themselves very credibly as real individuals or organizations. This creates several forms of abuse for businesses.
Identity fraud
Criminals can impersonate customers, employees, suppliers, or partners. Because they possess genuine personal data, they can gain the trust of help desks, support departments, or finance teams. This can lead to unauthorized changes to accounts, contracts, or contact information. For companies, this means that verification based on standard personal data becomes less reliable.
Targeted phishing and social engineering
Using real names and contact details, attackers can send highly convincing messages via email, SMS, WhatsApp, or telephone. These can be directed at employees, customers, or business contacts. Instead of generic phishing, attacks become personalized and contextual, making employees more likely to respond or share information.
Invoice fraud and modification of payment details
Since bank account numbers and identity information may be known, criminals can attempt to manipulate financial processes. For example, they may request changes to payment details, send fraudulent invoices, or pose as a supplier or service provider. This primarily affects procurement and administrative processes and can cause direct financial damage.
Account takeover and access abuse
Personal data is often used for account recovery or identity verification. Attackers can use this information to request password resets, gain access to accounts, or impersonate a legitimate user.
CEO fraud
With personal data regarding executives or contact persons, attackers can impersonate managers or decision-makers and make urgent financial or operational requests. Because the information appears authentic, employees are more likely to act without additional verification.
Building comprehensive profiles for future attacks
Even if data is not exploited immediately, it can be combined with other data breaches to create comprehensive profiles of individuals or organizations. This information can later be used for targeted supply chain attacks, fraud, or espionage.
Advice for Odido business customers
For organizations that use Odido or whose employees may be customers, it is advisable to treat the incident as a period of heightened threat. The telecommunications service remains functional, but criminals can use the leaked data to exploit trust.
It is beneficial to proactively inform employees that a major supplier has been affected by a data breach and that they may be approached in a more targeted manner. Communicating transparently prevents uncertainty and increases the likelihood that employees will recognize suspicious situations.
Ask employees to be extra vigilant regarding unexpected calls, messages, or requests where personal information is used to gain trust. Explain that attackers may pose as Odido, banks, suppliers, colleagues, or internal departments. Requests concerning payments, account changes, or verification codes deserve particular attention.
Additionally, it is wise to designate a clear internal reporting point where employees can immediately report suspicious communication. An accessible reporting process ensures that signals become visible quickly and prevents incidents from going unnoticed.
It also helps to temporarily place extra emphasis on verification procedures. Employees should know that it is always permissible to verify requests through a second channel or to ask for additional confirmation, especially for financial or account-related actions.
Finally, it is important to emphasize the human element: employees do not need to be security experts, but their alertness can make the difference.
Conclusion
The way Odido has communicated the incident deserves recognition. By providing swift clarity on the nature of the breach and the potential risks, the company enables customers and partners to take timely measures. At the same time, this incident shows that cyberattacks are rarely limited to a single organization. In a highly connected digital economy, incidents at one party can affect the entire chain. It is therefore essential for companies to monitor not only their own security but also the risks arising from the suppliers and service providers on whom they depend.
For organizations looking to strengthen their digital resilience, this means that continuous monitoring of suppliers and their cyber incidents is becoming increasingly important. Insight into incidents at critical parties helps companies recognize risks faster and take proactive measures before damage occurs. It is precisely during incidents like this that the importance of supply chain visibility for effective risk management becomes clear.
