General

• How could this incident have happened?

  Cybercriminals were able to successfully gain access to our customer contact system. After the criminals gained access, they were able to download customer data in a covert and unauthorized manner.

• When did the cyberattack take place and was the data leaked?

  In the weekend of 7 and 8 February, we first received signals that there was a data breach. We immediately began further investigation together with our internal and external cybersecurity experts and took immediate action. As soon as the data breach was confirmed, we decided to inform the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) and the affected customers as quickly as possible.

• What customer data was leaked?

  The data that was leaked differs per customer but may include name, contact details (name/address details, phone number), date of birth, customer number, email address, bank account number (IBAN), and identity document numbers and expiry date.

• Is our stolen data already online?

  As far as we currently know, the leaked data has not been published online at this time. We continue to monitor this continuously in cooperation with experts.

• Is it possible that the leaked data will still be published online?

  We cannot rule out that leaked data may be published or misused at some point. We advise all customers to remain very alert to unusual activities or contacts.

• How do customers know whether they are affected by the data breach?

  We sent a personal email to all customers who are affected. The sender of this email is info@mail.odido.nl. Customers for whom we do not have an email address received an SMS.

  Not all customers have been affected, so we only sent information to customers who have been impacted.

  Have you not received an email from info@mail.odido.nl or an SMS? Check your spam folder to be sure. If there is nothing there either, assume you have not been affected.

• What is Odido doing to prevent new incidents in the future?

  We take this incident very seriously. Immediately after discovering the data breach, we: 

  1. Blocked the unauthorized access to the customer contact system.  

  2. Implemented additional security measures.  

  3. Further scaled up monitoring for unusual activity.  

  4. Increased employee awareness of how cybercriminals operate (phishing).

• Was Odido’s security in order?

  The security of our infrastructure and our customers is our top priority. Our networks and systems are designed with security in mind. We are continuously working to improve our resilience. We work with external security experts to keep improving. However, cybercriminals operate in a highly advanced and targeted manner, and unfortunately no organization is immune. We continuously work on improvements and are using this incident as the reason for a thorough evaluation.

• What can cybercriminals do with the leaked data?

  With the leaked data, cybercriminals could, for example, try to:

  1. Impersonate customers or trusted companies – for example, posing as a bank or Odido and sending fake bills via phone or email.

  2. Phishing – fake emails or calls targeting customers or their contacts.

  What they cannot do (because it was not leaked): 

  • Use your passwords. 

  • View your call history.

  • Track your location.

• What can you do yourself?

  • Be extra alert to unexpected phone calls, SMS or WhatsApp messages, or emails. 
    Have you received a message and are you not sure whether you can trust it? On odido.nl/phishing you can read what to look out for and find tips on how to recognise phishing.

  • Check your bills and bank account regularly.  

  • Change your passwords if that makes you feel more comfortable, although this is not necessary, because no passwords were leaked. 

• Can customers continue to use Odido’s services safely after this data breach?

  Our services have not been affected. Customers can continue to call, use the internet, watch TV, and use all other Odido services as normal.

• Have Odido’s other brands (Ben & Simpel) also been affected by the cyberattack?

  Odido and Ben customers have been affected by the cyberattack. Ben has a separate information page: www.ben.nl/veiligheid. Simpel customers have not been affected.

• I saw that different kinds of emails are being sent about data that may have leaked. Did I get the right email?

  We sent 4 versions of the same email to our customers, because the data that may have leaked can be different per customer. These 4 versions are:  

  1. Only the name and address details were leaked. 

  2. Name and address details and bank details leaked.  

  3. Name and address details and ID details leaked.  

  4. Name and address details and ID details, and bank details leaked. 

  It can happen in a household or a company where several different types of emails are sent. This is because there can be several accounts at one address. In general, it is wise to follow all the tips we give to be extra careful about all versions. Being extra careful is always better. 

  We underscore that your Mijn Odido password, your subscription details, your call details, your bill details or your location details, and any scans of identity documents are not part of the data leak. 

• Have you, as Odido, also informed banks and other institutions so that they too can be vigilant in such situations?

  We are in contact with various organizations regarding this data leak. However, for customers, it is currently most important to remain extra alert themselves. You can find our tips on this page.

• I want to cancel my order, but I am past the 14 days. Is that allowed?

  The data leak itself is not a valid reason to terminate your agreement early.

• I have not received an e-mail or text message yet. What does that mean? Are you done informing customers? And does it mean I was not affected if I did not get an e-mail?

  If you did not receive an e-mail or text message from Odido, you can assume you were not affected. To be sure, also check your spam folder once more to see if an e-mail ended up there.

• I want to make a formal request to Odido to get written confirmation of what happened, the cause, the period involved, the steps taken to prevent damage, and how you will protect me.

  We refer you to this page where you can find the available information. In short, we took the following steps to help customers prevent damage:  

  1. Ended the unauthorized access.  

  2. Personally informed customers by email and/or text message so everyone can be extra alert.  

  3. Informed the Dutch Data Protection Authority about this incident.  

  4. Brought external cybersecurity experts for extra support. 
     

Identification details

• Why did you keep very sensitive data such as ID (driving license or passport) after activation? Are you allowed to do that? And can this be deleted urgently?

  We want to emphasize that no copies and/or scans of IDs are part of the data leak. We have also stated this earlier in our communications.

  We also want to point out that the Central Helpdesk for Identity Fraud has also stressed that a data leak does not automatically mean identity fraud, or that identity fraud can be done with the stolen data. 

  You can find the advice from the CMI here: https://www.rvig.nl/nieuws/12-02-2026-datalek-odido-veroorzaakt-ongerustheid-cmi-geeft-advies 

  To prevent fraud when taking out a mobile subscription, we always check your identity and therefore register the number of your identity documents. This way we know for sure that you are the one taking out the subscription, and we can show that it was you. This also helps prevent contracts, subscriptions, or phones from ending up with the wrong person. If you took out phone credit with Odido Finance, Odido is required by law to check your identity. We must record and keep the number of the identity documents you used to identify yourself for up to 5 years after your phone credit ends. 

• I have read about the data breach at Odido. Do I now need to replace my passport or driving licence?

  No, based on our current information, replacing an identity document is not necessary at this time. We are following the current government advice from the Central Identity Fraud Reporting Centre (CMI).

  You can find the CMI's advice here: https://www.rvig.nl/nieuws/12-02-2026-datalek-odido-veroorzaakt-ongerustheid-cmi-geeft-advies

• I have replaced (or need to replace) my passport and/or driving licence. Will Odido cover the cost of replacing these identity documents?

  We understand that this situation can be worrying, and that you may want to take extra precautions. Based on what we know today, replacing your passport or driver’s license is not necessary at this time. We are closely following the guidance from the Dutch authorities, including the Central Identity Fraud Reporting Centre (CMI). In line with their current advice, those documents do not need to be replaced, so we do not reimburse the costs of replacing these documents at this time.

  We will continue to monitor the situation and the official guidance.

  You can read the CMI’s advice here: https://www.rvig.nl/nieuws/12-02-2026-datalek-odido-veroorzaakt-ongerustheid-cmi-geeft-advies

• If my passport details have been leaked, does this include my national insurance number?

  Your national insurance number is not part of the leaked ID details. Odido does not store national insurance numbers in its systems.

Bank account number

• My bank account number has been leaked. Do I need to request a new bank account number?

  No, in our opinion, the data breach at Odido does not necessitate changing your bank account number. The Dutch Banking Association (NVB) has also emphasized that it is not possible to log in to your banking environment with a back account number, such as your banking app or online banking. Your bank account is therefore secure according to the NVB.

  You can find the NVB's advice here: https://www.nvb.nl/nieuws/datalek-odido/

Login details

• There are rumours that customer passwords have also been leaked. Is this true?

  No, this is incorrect. We would like to emphasize that no passwords from My Odido or other login systems have been leaked. The passwords that customers use to log in are stored in encrypted form and have never been accessible. Your My Odido account is secure.

  What has been leaked is a field from the customer contact system called “password_c”. Despite its name, this is not a password, but a so-called challenge word or code word. This was used as an additional security question when a customer contacted us by telephone. This code word does not give access to accounts, services or personal data and is completely separate from the systems in which customers log in.

  Such an additional code word was registered for a limited group of customers. As soon as we heard that these code words were included in the leak, telephone verification based on these code words was immediately discontinued.

• I received an email from Odido asking me to change my password. Is this legitimate?

  Odido never sends messages asking you to change your password. Stay alert, and if you don’t trust a message, don’t take any action. For tips on how to recognize phishing, visit odido.nl/phishing.

Compensation

• I suffered damage from an incident (e.g. phishing) and I have clear proof. Can you help me undo this? And can I get compensation?

  Sorry to hear that you may have suffered damage because of an incident. Based on the information Odido has at this time, we have no reason to think that any damage is the result of the Odido data leak. If Odido informed you about the data leak, we refer you to our information page for all the tips we currently give to our customers. 

  Regarding compensation, we answer the following. A data leak does not automatically give a right to compensation. Our work is currently focused on preventing customers from suffering any damage because of this incident. We informed customers in advance so they can be extra alert for suspicious signs. This is in line with the advice of the Central Helpdesk for Identity Fraud (CMI) of the Dutch government.

  The CMI also emphasizes that identity fraud does not automatically apply, and that identity fraud cannot automatically be done with the stolen data. The CMI also says that with the affected data you cannot simply take out a loan, open a bank account, or take out a phone subscription. You also cannot request a new identity document with it. Extra checks are needed for that, such as a real identity document, your DigiD, or your bank login details. 

  You can find the full advice here: https://www.rvig.nl/nieuws/12-02-2026-datalek-odido-veroorzaakt-ongerustheid-cmi-geeft-advies 

• I have seen advice from cybersecurity experts stating that I am entitled to compensation (e.g. Tweakers). I want that compensation now. What is your compensation policy?

  A data leak does not automatically give a right to compensation. Our work is currently focused on preventing customers from suffering any damage because of this incident. We informed customers in advance so they can be extra alert for suspicious signs. This is in line with the advice of the Central Helpdesk for Identity Fraud (CMI) of the Dutch government. Be careful with parties that give advice that is different from what the CMI advises. 

  You can find the full advice here: https://www.rvig.nl/nieuws/12-02-2026-datalek-odido-veroorzaakt-ongerustheid-cmi-geeft-advies 

Details of former customers

• I have just cancelled / I am no longer an active customer of Odido. Why did you keep my data?

  Not an active customer: 
  Odido keeps your contact details for up to 2 years after your contract ends, and you switch to another provider, in case you want to become a customer again within this period. We also say this in the privacy statement on our website. Because you switched less than 2 years ago, your details were still in the system, and that is why you received an email or text message. 

  Just cancelled: 
  To process your cancellation correctly, we still need your data to carry out your contract. Odido also keeps your data for up to 2 years after your contract ends, in case you want to become a customer again within this period.
  
  You can find our privacy statement here: https://www.odido.nl/privacy.

• I switched more than 2 years ago but still received an email or text message. How is that possible?

  Odido uses a period of 2 years in the system after all duties on both sides are finished. If you still had unpaid bills after you switched, or service questions that were not finished yet, the 2 years started when the bills were paid, and the questions were handled.

• I am no longer an active customer; I want you to delete my data immediately. Can you arrange that?

  Odido has a standard process for requests to delete customer data. Only a small group of employees are allowed to handle these requests. We kindly ask you to follow our normal process for this. Only in this way can we also check the identity of the person making the request. We refer you to the form on our website: 
  Brochures and forms. 

  The waiting time may be longer than normal. We ask for your understanding. 

Business

• Have end-user details also been leaked for business customers with multiple people in the organization?

  For business customers, end-user details have not been leaked.

Contact

• I still have additional questions. Where can I go?

  We understand that you may still have questions. We ask you to check this page for updates. Our customer service team is currently not able to provide more information than what can be found on this page.

  If you do have urgent questions, please contact us.

  Consumer: https://www.odido.nl/service-contact
  Business: https://www.odido.nl/zakelijk/contact