Hackers Forced Dutch Telco Odido to Acknowledge Its Own Massive Data Breach

Odido, a Dutch telecommunications provider, suffered a phishing‑based intrusion that gave attackers valid internal credentials. Although the compromised account was blocked within an hour, the attackers had already moved laterally and prepared for data exfiltration. On February 5, they downloaded millions of customer records without triggering any security alarms, a fact later confirmed by CEO Tisha van Lammeren, who said she was “extremely surprised by the speed at which everything happened.”

- The intrusion began with a phishing email that harvested employee credentials (MITRE ATT&CK T1566). - Attackers used the stolen credentials to access internal systems (T1078) and staged the data copy (T1041). - No alerts were raised during the exfiltration, indicating a gap in detection coverage. - On February 7, the hacker group ShinyHunters notified Odido that they possessed the stolen data. - Early March, after ShinyHunters published the data on the dark web, Odido learned that business‑customer records were also compromised, expanding the scope beyond consumer accounts. - Odido sent 6.2 million SMS or email notifications to customers and former customers shortly after the breach. - Two regulatory investigations are underway concerning security controls and data‑retention practices, and the privacy foundation Consumers United in Court has filed a class‑action lawsuit.

The incident highlights how a single phishing success can lead to large‑scale data loss when monitoring fails to detect anomalous access patterns. Odido’s delayed recognition forced the company to rely on the attackers’ own disclosure, undermining trust and prompting criticism of its crisis communication. The ongoing regulatory reviews may result in fines or mandated improvements to security governance, while the class‑action suit could lead to financial liability.

- Enforce multi‑factor authentication on all privileged and remote access accounts to mitigate credential theft (CISA Advisory AA23-062A). - Deploy UEBA or anomaly‑detection tools that flag unusual data‑volume transfers (MITRE ATT&CK T1041). - Ensure logging and alerting for successful logins from atypical locations or devices, and tune thresholds to reduce false negatives. - Conduct regular phishing simulations and employee training to reduce credential‑theft success rates. - Maintain an up‑to‑date incident‑response playbook that includes external notification procedures and timelines for customer communication. - Review data‑retention policies to limit the amount of personal data stored, thereby reducing potential exposure.