The Dutch branch of telecommunications provider Odido reported that personal information for more than 6.2 million customers was exposed in a cyberattack discovered earlier in February 2026. The company said it detected unauthorized access to its customer relationship management systems over the weekend of 7 and 8 February and moved to stop the intrusion once identified.
Odido stated that attackers downloaded a range of customer data from its systems. The information that may have been accessed includes full names, postal addresses, telephone numbers, customer identification numbers, bank account details, dates of birth, and government-issued identity numbers such as passport and driver’s licence numbers.
The telecom provider said that some types of sensitive data were not taken. According to the company, passwords, phone call records, phone location information, billing details, and scanned copies of identity documents remained secure and were not exfiltrated during the incident.
Odido notified affected customers by email or text message about the breach and explained the steps the company has taken in response. The company also reported the incident to the Dutch privacy and data protection authority, known as Autoriteit Persoonsgegevens, as required under national law.
In a press statement, Odido said it blocked the unauthorized access once it became aware of the breach and implemented additional security measures to prevent further intrusions. The statement also said the company increased monitoring for unusual activity and raised employee awareness about cyber threats. Odido emphasised that its operational services continued without interruption, and customers could still make calls, use internet services, and watch television as usual.
The company warned that the stolen information could be used in fraudulent activity. It advised customers to remain vigilant for potential phishing attempts or scams that might attempt to exploit the exposed data by impersonating a reputable company, sending fake invoices, or seeking additional information.
As of the time of reporting, Odido said none of the stolen data had been published online or on underground internet forums, and no criminal group had publicly claimed responsibility for the breach.
Odido competes in the Dutch telecommunications market with other providers, including KPN and VodafoneZiggo. The company was formerly part of T-Mobile Netherlands before being acquired by private equity firms in 2021.
Affected customers and others potentially at risk were encouraged by Odido to monitor their personal accounts and report any suspicious activity to the company or relevant authorities.