Dutch telecoms business Odido has disclosed a cyberattack on its customer contact system that happened on 7 February.
The personal information of approximately 6.2 million customers was disclosed, including names, residential addresses, mobile phone numbers, email addresses, account numbers, and ID information such as passports and driver’s licenses.
In a statement, the company said no passwords, call details or billing information are involved.
“We deeply regret this incident and are fully committed to limiting the impact of this incident and providing our customers with all necessary support. It is important to emphasize that our operational services have not been affected; customers can continue to call, use the internet and watch TV safely,” the statement read.
Odido said the unsanctioned access was terminated quickly and no group has thus far claimed responsibility for the attack. Affected customers will receive a direct email or text from the company.
The incident has been reported to the Dutch Data Protection Authority (AP).
A Window to Act
Aaron Colclough, VP of Operations at Suzu Labs, says: “Customer contact systems are attractive targets because they aggregate names, contact details, and often payment or identity data. When a breach happens, the priority is cutting off access and figuring out what was taken. Then you notify the regulator and the people affected.”
He said by reaching out to affected customers Odido has given them a window to act before the stolen data gets used against them. “The follow-through matters too. Affected customers need clear, ongoing support, and both the company and regulators should be watching for misuse of the stolen data. Most organizations don’t treat their contact and support platforms as critical infrastructure, but that’s where customer data lives. Limit what lives in those systems. Beyond that, the worst time to discover your plan has holes is during an active breach. Running tabletop scenarios beforehand is how you find those holes and make sure your team can actually execute when it counts.”
CRM Sprawl is a Strategic Vulnerability
John Carberry, Solution Sleuth at Xcape Inc, says this latest incident “starkly illustrates how CRM sprawl has become a strategic vulnerability for national telecommunications companies.”
However, he says this problem is not limited to that industry. “By compromising a customer contact system instead of core network infrastructure, attackers obtained a “social engineering starter kit” containing names, IBANs, and even passport numbers, all without triggering the operational alerts typically associated with service disruptions. While CEO Søren Abildgaard’s swift termination of access was a technical win, the theft of government ID data has created a lasting “identity debt” that a simple password reset cannot resolve.”
Carberry adds that this highlights how CRM tools that often hold the keys to an organization’s sensitive data are subject to less rigorous security protocols than the “crown jewels.”
Shift to Proactive Fraud Monitoring
“This incident mirrors recent breaches at ApolloMD and the European Commission where the exfiltration of metadata was prioritized to facilitate highly targeted and long-term phishing campaigns,” he continues. “As Odido prepares to notify nearly 80% of its customer base, the priority must now shift from incident containment to proactive fraud monitoring. Victims face frozen bank accounts, denied loans, destroyed credit scores, and the Kafkaesque experience of having to prove to institutions that they are actually themselves, all while their immutable personal identifiers circulate through criminal networks forever.”
Odido owes its 6.2 million affected customers comprehensive identity theft protection services, credit monitoring, and direct legal support; in this case, an FAQ page and an apology won’t cut it, Carberry adds. Their responsibility extends far beyond damage control.
“In the end, identity theft isn’t just about losing money; it’s about discovering that the government and financial institutions trust the criminals using your stolen ID more than they trust you,” he ends.
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.