On 12 February 2026, Dutch telecom provider Odido confirmed that a cyberattack had compromised the personal data of approximately 6.2 million customers. One month later, the situation has not stabilised. It has escalated at every level — operational, regulatory, criminal, and political.
The full dataset is now public. Government ministers are in it. Former customers who left a decade ago are in it. Identity fraud linked to the breach has doubled. A second, unrelated privacy violation has surfaced. And the institutional response remains, for the most part, observational.
This is a documented timeline of what has happened since disclosure, what it means, and what it reveals about how the Netherlands handles a breach of this scale.
The Release Timeline
ShinyHunters breached Odido over the weekend of 7–8 February using a multi-stage vishing attack. They phished customer service credentials first, then called the same employees pretending to be Odido's IT department to trick them into approving a secondary login. That gave the attackers 48 hours of undetected access to the Salesforce database.
On 26 February, Odido publicly confirmed it would not pay the ransom. ShinyHunters had initially demanded €1 million, later reducing to €500,000. That same day, the first batch of 680,000 customer records appeared online.
Dumps followed on the 27th and 28th. On 1 March, the attackers published what they described as the full remaining dataset: 6.5 million individuals and approximately 600,000 companies. The release included more than five million identity documents — passports, driver's licences, and residence permits, including those belonging to diplomats.
What the Dataset Contains
This is not an email-and-password leak. The Odido dataset includes full legal names, home addresses, dates of birth, email addresses, phone numbers, IBAN bank account numbers, and identity document numbers with validity dates.
It also includes internal customer service notes. Dutch broadcaster NOS confirmed that these notes identify customers with court-appointed guardians, flag customers with histories of account fraud attempts, and record payment arrangement details. This metadata allows criminals to systematically identify financially vulnerable targets and tailor attacks to individual circumstances.
The combination of IBAN, full name, date of birth, and national ID number is sufficient to bypass KYC verification at financial institutions, execute SIM-swap attacks, open credit lines, and conduct targeted spear phishing that references real account details. This is not a theoretical risk. It is already happening.
The Fraud Is Confirmed
The Central Identity Fraud Reporting Point (CMI) reported that Odido-related fraud inquiries more than doubled in the weeks following the leak. Active phishing campaigns appeared within 24 hours of the full data publication — fake emails directing victims to a fraudulent Odido compensation portal.
The compensation scams did not stop there. A website calling itself "odidoschadevergoeding.nl" — ostensibly offering to file damage claims on behalf of victims — was flagged by AVROTROS's "Opgelicht?!" programme as itself predatory: no KVK registration, no terms and conditions, fixed fees charged upfront. Criminals exploiting breach victims a second time, using the breach as the pretext.
National Security Escalation
On 5 March, RTL Nieuws reported that the dataset contains the personal data of four sitting government ministers, three individuals under state protection, multiple state secretaries, members of parliament, and at least one senior intelligence service employee.
Some of these individuals had not been informed by Odido. Some received only the generic notification email sent to all affected customers, with no acknowledgement that their specific exposure carried national security implications.
This disclosure transformed the incident from a corporate data breach into a state security matter. The home addresses, phone numbers, and identity document details of protected persons — people under government security precisely because they face credible threats — are now in a dataset that has been downloaded, copied, and redistributed across criminal infrastructure.
The Data Retention Problem
NOS reported that the dataset includes records of former Odido customers who terminated their contracts five to ten years ago. Odido's own privacy policy states a maximum retention period of two years after the end of a customer relationship.
This is a GDPR Article 5(1)(e) violation — the storage limitation principle — layered on top of the breach itself. Odido held data it had no lawful basis to retain, and that data was subsequently stolen and published. The "Autoriteit Persoonsgegevens" confirmed it is investigating whether Odido complied with its own stated policies.
The implication is significant: some of the people exposed in this breach had no active relationship with Odido and no reason to believe their data was still held. They were exposed not because they were breached, but because their data should have been deleted and was not.
Then Came Lifemote
On 11 March, Dutch security researcher Sipke Mellema revealed that Odido's rental routers had been forwarding MAC addresses, device names, and surrounding Wi-Fi network identifiers to the American AI company Lifemote — for years, without disclosure.
MAC addresses are classified as personal data by the "Autoriteit Persoonsgegevens." Device names like "Jan's iPhone" or "Apple TV woonkamer" are personally identifiable. Odido's privacy policy mentioned collecting this data but did not disclose forwarding it to a third party in the United States. Odido stopped the practice and updated firmware after De Telegraaf's inquiries. Separate "Kamervragen" were filed.
This is not connected to the ShinyHunters breach. It is a distinct privacy violation. But its timing — surfacing while Odido is already under investigation for the largest telecom breach in Dutch history — establishes a pattern. This is not an organisation that suffered a single security failure. This is an organisation with structural deficiencies in how it handles personal data.
Law Enforcement Response
On 3–4 March, the FBI and Europol coordinated the takedown of LeakBase, a criminal forum with 142,000 registered members that hosted the Odido dataset among hundreds of other stolen databases. The operation, involving 14 countries, resulted in over 100 enforcement actions against 37 of the forum's most active users, including search warrants, arrests, and interviews across the US, Australia, Belgium, Poland, Portugal, Romania, Spain, and the UK.
LeakBase is gone. The data is not. Once a dataset of this size reaches multiple criminal forums and is downloaded by thousands of users, no takedown operation retrieves it. The law enforcement response addressed distribution infrastructure, not the underlying exposure.
The Institutional Response
Two rounds of "Kamervragen" have been filed — the first by D66 on 13 February, the second on 2 March. The questions cover GDPR compliance, breach notification timing, whether current security requirements for telecom providers are adequate, and what structural changes are needed.
The "Autoriteit Persoonsgegevens" has confirmed it is monitoring the situation and investigating Odido's data retention practices. The Dutch police launched the "Checkjehack" portal for affected customers to check their exposure.
One month in, there has been no fine, no structural regulatory action, and no mandatory change to how Dutch telecom providers handle identity data. The investigation is open. The monitoring continues. The 6.5 million affected individuals wait.
What This Tells Us
The Odido breach is not exceptional because of its scale, though the scale is significant. It is exceptional because every week since disclosure has added a new dimension of failure: operational (the vishing attack), legal (the retention violation), political (the ministerial exposure), structural (the Lifemote revelation), and criminal (the active fraud campaigns).
One month later, the breach is not closing. It is still being understood.