Decoding the world of cybersecurity

Odido breach probe turns to Dutch suspects

Dutch police say their investigation into the Odido breach has found indications of local involvement, including a Dutch-speaking caller posing as IT staff.

Odido breach probe turns to Dutch suspects
Summary
  • Dutch police say the Odido investigation points to possible involvement by Dutch criminals.
  • Odido says approximately 6.39 million people were affected by the February cyberattack.
  • The case combines vishing, customer-service trust, telecoms data exposure, and post-breach misuse risk.

Odido is facing renewed scrutiny after Dutch police said their investigation into the telecoms provider’s cyberattack has found indications of possible involvement by Dutch criminals.

The police update says the investigation remains under way and that the public prosecution service and Team High Tech Crime are seeking information about possible suspects. Police said the breach involved data belonging to more than six million customers, and that servers used by the hacker group to distribute data were taken offline early in the investigation.

The most operationally relevant detail is the alleged use of voice-based social engineering. Police said the investigation identified a telephone call shortly before the attack in which a Dutch-speaking man pretended to be an Odido IT employee during contact with customer service. The company was then allegedly misled through phishing, after which the data theft took place.

Odido’s own customer update says the attacker contacted customer service while pretending to be a member of IT staff, with voice phishing attacks taking place on 5 and 6 February. The company says the specific attack that led to data exfiltration was sophisticated, and attributes the threat actor to ShinyHunters. It says approximately 6.39 million people were affected, including Odido and Ben customers, while Simpel customers were not impacted.

The affected data differed by person and included information such as name, address, mobile number, customer number, email address, IBAN, date of birth, identification details, nationality, and gender. Odido says Mijn Odido passwords, call details, location data, billing data, and scans of identity documents were not included.

The case shows how telecoms cyber risk often sits between identity, process control, and data governance. A customer-service workflow that can be manipulated by someone posing as internal IT is not merely a training problem. It touches authentication of privileged support actions, verification of internal requests, access logging, and the speed with which suspicious behaviour is isolated once a social-engineering attempt succeeds.

Telecoms providers hold data that is unusually valuable to criminals because it supports impersonation, account takeover, SIM-related fraud, targeted phishing, and financial scams. Even where passwords and call-detail records are not exposed, combinations of name, date of birth, contact details, customer numbers, and in some cases bank-account information can support more convincing downstream attacks.

The Dutch police update also shows why incident closure rarely follows the same timetable as customer communication. Odido says it has concluded its data analysis for customer notifications, but the criminal investigation may run for months. Customers, regulators, and business partners need information before law enforcement has final attribution, arrests, or a complete account of the attack chain.

Telecoms and other high-volume customer-service organisations will need to examine caller authentication, internal support verification, least-privilege access, out-of-band approval for sensitive actions, and monitoring of unusual support activity. Attackers do not need to defeat cryptography when process trust allows them to borrow authority from inside the organisation.

×