What happened
Dutch telecommunications provider Odido disclosed that a cyberattack exposed personal data belonging to approximately 6.2 million customers after attackers breached its customer contact system. The company detected the incident on February 7 and launched an investigation with internal and external cybersecurity experts. According to Odido, threat actors gained unauthorized access to a customer contact system and downloaded personal information stored in that environment. Exposed data may include full names, addresses, mobile numbers, email addresses, customer numbers, IBAN account numbers, dates of birth, and identification data such as passport or driver’s license details. Odido stated that passwords, call logs, billing information, and identification document scans were not affected. The company blocked unauthorized access, reported the breach to the Dutch Data Protection Authority, and began notifying impacted customers while strengthening monitoring and security controls.Â
Who is affected
Approximately 6.2 million customers of Odido are affected, as attackers accessed personal information stored in the company’s customer contact system, including identifying and contact details associated with telecommunications accounts.Â
Why CISOs should care
The compromise of a telecommunications provider’s customer contact system highlights how centralized customer data repositories can become high-value targets for attackers seeking large volumes of personal and financial information.Â
3 practical actions
- Secure customer contact systems. Ensure access controls and monitoring protect centralized repositories containing customer information.
- Notify affected individuals. Inform impacted customers promptly and provide guidance on protecting their personal data.
- Strengthen security monitoring. Increase detection and response capabilities to identify unauthorized access and prevent further compromise.