Update about cyberattack.

What happened

• How did the cyberattack unfold?

  The attacker contacted our customer service team pretending to be a member of our IT staff. The first voice phishing (“vishing”) attack took place on 5 February, with another attack on 6 February. In both instances, our team detected the unauthorized access immediately, investigated the incident and revoked the threat actor’s access. Phishing attacks like this are not uncommon, and our staff are trained to detect them. But the specific attack that led to data exfiltration was very sophisticated.

• Who was the threat actor?

  A cybercriminal organization known as ‘ShinyHunters’.

• Is the investigation into the cyberattack complete?

  Our teams have worked closely with external cybersecurity experts to understand the full scope of the incident and the affected data. We have concluded our data analysis in relation to notifications that we have sent to our customers.

• Can customers continue to use Odido’s services safely after this data incident?

  Yes, all our services remain fully available – they were not affected by the cyberattack. Customers can continue to call and use the internet safely, as well as watch TV.

• Have Odido’s other brands (Ben & Simpel) also been affected by the cyberattack?

  Our investigation showed that Ben customers were affected by the cyberattack. All those affected customers have already been notified. Simpel customers were not impacted by the attack.

• How many customers were affected?

  In total, approximately 6.39 million people were affected by the cyberattack. We informed the vast majority of them in the initial notification within days of confirming the breach via a personal e-mail or SMS. These were both active and inactive customers of Odido and Ben. Further analysis in the weeks after the attack showed that additional notifications needed to be issued to a small group of customers who had not yet been reached.

  We have contacted all customers whom we determined to have been affected via e-mail or SMS. In addition, we provided information to our customers through a dedicated webpage and through our service agents and retails organisation.   

• Why weren’t all customers notified at the same time?

  One of the most important lessons we’ve learned is how difficult it can be for an organization – particularly one of our size – to complete a full analysis of the data impacted in a cyberattack.

  As a result, balancing speed and accuracy in our communications was a significant challenge. We wanted to be on the front-foot, so we informed millions of customers within days that their data had been impacted. As our investigation progressed and more detailed findings became available, we provided customers with updated information to ensure they had the most accurate and complete picture.

• What steps did Odido take to support those affected?

  Throughout the past few months, we have scaled up our capacity by over 140 agents to answer customer questions and further help customers. We’ve also offered customers practical protective options, such as the option to change their phone number, to help protect against threats. We promise to continue to offer additional security measures for our customers over the coming months, including our “Check je gesprek” solution, which is a simple way for customers to verify it’s Odido contacting them, and access to digital security service F-Secure.

The data affected

• What data was affected?

  The data affected differed per person and included information such as name, address, mobile number, customer number, email address, IBAN number, date of birth, identification details, nationality and gender. To be clear, the data did not include Mijn Odido passwords, call details, location data, billing data or scans of identity documents.

  In limited cases, additional information you may have shared with our customer service team could also have been affected. If you have questions about your specific situation, you can submit a data access request.

• There are rumours that customer passwords have also been leaked. Is this true?

  No, this is incorrect. We would like to emphasize that no passwords from My Odido or other login systems have been leaked. The passwords that customers use to log in are stored in encrypted form and have never been accessible. Your My Odido account is secure.

  What has been leaked is a field from the customer contact system called “password_c”. Despite its name, this is not a password, but a so-called challenge word or code word. This was used as an additional security question when a customer contacted us by telephone. This code word does not give access to accounts, services or personal data and is completely separate from the systems in which customers log in.

  This additional code word was registered for a limited group of customers. As soon as we heard that these code words were included in the leak, telephone verification based on these code words was immediately discontinued.

• My bank account number has been leaked. Do I need to request a new bank account number?

  The Dutch Banking Association (NVB) has emphasized that it is not possible to log in to your banking environment with a bank account number, such as your banking app or online banking. It is therefore our opinion that the incident does not necessitate changing your bank account number. You can find the NVB's advice here:  https://www.nvb.nl/nieuws/datalek-odido/
  
  

• Can individual customers find out what exact data of theirs has been leaked?

  We know that you want to confirm the data that was leaked from you individually; we have scaled up our customer service team so that they can answer your questions directly. You can also look at the F-secure service or the website ‘Check je hack’ for confirmation.

• Why did Odido retain so much data, including sensitive information?

  The main part of the affected data was used as part of everyday business practices to enable our sales and customer services teams to do their jobs. Other parts of the affected data were retained in line with customary retention periods. We are conducting a full critical review of our data retention policies and processes.

• If I am no longer an active customer, can you arrange to delete my data?

  Odido has a standard process in place for requests to delete customer data, which is handled by a dedicated team. This process also allows us to verify the identity of the person making the request, helping to ensure your data is protected. We would be grateful if you could submit your request via the form on our website:
  Brochures and forms. 

• Why didn’t Odido pay the ransom?

  Acting on clear and consistent guidance from authorities, we did not pay the ransom. We knew that this decision could lead to the stolen data being published. But, ultimately, there could be no other decision. We strongly believe that criminal organizations should not be rewarded for illegal activities; paying the ransom could put a target on the back of other Dutch businesses.

  Of course, we understand the impact of this decision – and this incident - on all our customers. Our focus has always been – and remains – supporting those affected.

Staying safe after a cyberattack

• I received an email from Odido asking me to change my password. Is this legitimate?

  Odido never sends messages asking you to change your password. Stay alert, and if you don’t trust a message, don’t take any action. For tips on how to recognize phishing, visit  odido.nl/phishing.

• How are you helping customers stay safe online?

  We have offered customers practical protective options, such as the option to change their phone number, and free access to digital security service F-Secure, to help protect devices against phishing, malware and other online threats. We have also launched our “Check je gesprek” initiative, which gives customers a simple, reliable way to verify that they are genuinely being contacted by Odido. This is now available through the Odido app.

• For how long will customers receive free security software?

  You get 24 months of free access to the F‑Secure digital security service. Text VOUCHER to 1935 before 31st August 2026 to activate your 24-month subscription.

How we’re moving forward

• How are you making sure this will not happen again?

  First and foremost, we’re working closely with external cybersecurity experts to enhance our security posture. We have already implemented additional security measures and we’ve created a task force to assess our entire IT landscape. We are committed to implementing any further measures identified through this assessment.

  We are also introducing additional training programs – including cybersecurity e-learning modules – to ensure our people are a stronger first-line of defense against cyber threats.

  And critically, we have strengthened our data governance by adding extra external expertise and capacity. In light of the incident we are doing a full critical review of our data retention policies and processes.

• Can you tell us more about the security measures you’re implementing?

  For safety reasons, we cannot disclose exactly what we are doing to further strengthen and protect our systems. 

• I still have additional questions. Where can I go?

  We understand that you may still have questions. If you have questions that are not answered on this page, please contact us.

  Consumer:  https://www.odido.nl/service-contact
  Business:  https://www.odido.nl/zakelijk/contact