NOS Nieuws•
A massive data breach at Dutch telecom provider Odido has compromised the data of 6.2 million accounts, ranking it among the largest data leaks in the Netherlands’ history. The incident, first detected over the weekend, has raised significant concerns about potential fraud and identity theft.
“I can’t recall a company having this much data leaked,” stated Sijmen Ruwhof, an ethical hacker, highlighting the scale of the breach. The compromised data includes standard personal information, but critically likewise incorporates bank account details – a less common occurrence – and copies of passport or driver’s license numbers.
Ruwhof emphasized the sensitivity of the combination of data obtained, noting that national identification numbers were not part of the breach. This incident underscores the growing vulnerability of large corporations to sophisticated cyberattacks and the potential financial and reputational damage that can result.
While the exact number of individuals affected is still being determined, Odido is currently investigating the scope of the data compromise. The company initially stated that identification data (passport or driver’s license number and validity) had been compromised, but later clarified this information in communications with news outlets.
According to Ruwhof, the stolen personal data could be used by criminals to craft highly convincing phishing messages, impersonating legitimate businesses and exploiting the authenticity of the information to trick individuals into revealing further sensitive details. He warned that these messages often contain links to fraudulent websites designed to steal passwords and grant criminals broader access to victims’ lives.
Ruwhof further cautioned that the stolen data could also enable criminals to impersonate individuals when contacting companies, potentially authenticating themselves using details like the last three digits of a bank account number, postal code, and date of birth. This poses a significant risk of fraudulent activity and unauthorized account access.
Ethical hacker Matthijs Koot added that the stolen information represents a “goldmine” for hostile intelligence agencies seeking to map potential targets, including politicians and employees of critical infrastructure organizations.
The scale of the breach, with 6.2 million records compromised, suggests a significant failure in Odido’s security controls, according to Ruwhof. “This represents an enormous amount of unique personal data, and it’s highly valuable. It’s very possible that the criminals will offer the data for sale,” he said, also raising the possibility of a ransom demand.
Odido director Tisha van Lammeren stated that the company began notifying customers around noon on February 12, once it had determined which data had been stolen on a per-customer basis. She explained that the delay was due to the need to avoid sharing inaccurate information, and the complexity of informing millions of customers.
Van Lammeren declined to comment on the state of the company’s security measures, stating only that customer safety is the top priority and acknowledging the sophistication of the cybercriminals involved. She also did not disclose whether a ransom demand had been made.
