Use of mobile phone in trendy neon lights showing cyber attack on mobile network operator

Cyber Attack on the Largest Dutch Mobile Network Operator Odido Affects 6.2 Million Customers

The largest telecommunications service provider in the Netherlands has confirmed that a cyber attack exposed the personal information of over 6 million customers.

The Hague-based Odido says it detected signs of a cyber attack over the weekend of February 7 and 8 and immediately initiated an investigation, assisted by internal and external cybersecurity experts.

The probe traced the security breach to a client contact system, from which the threat actor exfiltrated personal information.

“After the criminals gained access, they were able to download customer data in a covert and unauthorized manner,” the company stated.

Dutch service provider Odido leaks personal information following a cyber attack

Odido says the cyber attack allowed the attackers to exfiltrate customer information, including full names, dates of birth, addresses and cities of residence, mobile phone number, customer number, email addresses, bank account numbers (IBAN), and identification details such as passports or driver’s license numbers, and their validity.

However, login passwords from My Odido and other systems, call details, location data, billing information, and scans of identity documents were not compromised.

Nevertheless, rumors persisted that the cyber attack also leaked passwords. However, Odido explained that a security question requested by customer representatives called “password_c” was exposed during the attack, but it does not grant the threat actor access to their accounts.

“This code word does not give access to accounts, services or personal data and is completely separate from the systems in which customers log in,” the company said.

Meanwhile, the company’s core services, such as phone, internet, and television, were unaffected by the cyber attack.

Odido data breach impacts 6.2 million customers

According to the mobile network operator, only a subset of customers were affected. However, a local media outlet reported the data breach affected 6.2 million of its 7 million customers. Odido subsidiary Ben NL was also affected by the cyber attack, while Simpel was spared.

Additionally, former customers who terminated their contracts with Odido less than 2 years ago were affected due to the company’s data retention policies.

Upon learning of the cyber attack, Odido responded by blocking the threat actor’s access and notifying the Dutch Data Protection Authority (AP) to comply with privacy regulations, and also as a gesture of its commitment to transparency.

“Odido reported to the Dutch Data Protection Authority and reached out directly to affected customers, which is what GDPR requires and what gives those customers a window to act before the stolen data gets used against them,” said Aaron Colclough, VP of Operations, Suzu Labs.

The company also hired external cybersecurity experts to assist in securing the impacted system and implement additional security measures to prevent a similar cyber attack.

It also notified impacted customers by text and email and launched a dedicated information page to assist them in navigating the data breach. The company also advised customers to be on the lookout for suspicious activity. Odido said it was in the process of notifying financial institutions, but warns that customers are the first line of defense against phishing attacks.

“The follow-through matters too,” added Colclough. “Affected customers need clear, ongoing support, and both the company and regulators should be watching for misuse of the stolen data.”

Currently, there is no evidence that the threat actor has leaked the stolen data online, although the company cannot rule out the possibility in the future. Nonetheless, Odido promised to continue to monitor the situation with the assistance of third-party cybersecurity experts.