The Netherlands' largest mobile network operator (MNO) has admitted that a breach of its customer contact system may have affected around 6.2 million people.
Odido said that attackers gained access to a range of personal data, including names, home and email addresses, phone numbers, dates of birth, bank account numbers, and ID document details.
The telco insisted that attackers could never have seen passwords, call details, billing or location data, or scans of the ID documents.
It spotted the first signals indicating a breach over the weekend of February 7-8 and promptly reported the incident to the Dutch Data Protection Authority.
Odido said the stolen data has not been published, but warned that it could appear online at some point in the future.
Around 6.2 million people were affected by this attack in some way, the telco told local news media, including its own customers and those of Ben, another MNO owned by Odido. Simpel, a low-budget MNO also under Odido's management, was unaffected.
The company is in the process of informing all affected individuals, either via email (info@mail.odido.nl) or SMS. This message will be tailored to each customer, telling them exactly what personal data was stolen.
In its disclosure, Odido also included tips about what customers should be aware of following the breach, such as scams attackers may attempt using the stolen data for financial gain.
Because names, addresses, phone numbers, and bank account numbers were included in the stolen data, Odido said that cybercriminals may use this to impersonate the telco, the customer's bank, or another third party.
- Supply chain attacks now fuel a 'self-reinforcing' cybercrime economy
- Devilish devs spawn 287 Chrome extensions to flog your browser history to data brokers
- Nearly 17,000 Volvo staff dinged in supplier breach
- Dutch data watchdog snitches on itself after getting caught in Ivanti zero-day attacks
Odido also advised customers about the different ways they can verify a caller's identity if they say they're calling from a bank, and to be wary of fake invoices with company branding, trying to get customers to pay the criminals directly.
CEO Søren Abildgaard said Odido "immediately took additional security measures" after shutting down the attacker's access, as well as informing the data regulator.
"Odido has been affected by a cyberattack, in which customer data has been impacted," said Abildgaard in a letter to customers. "This involves personal data originating from a customer contact system used by Odido. No passwords, call details, or billing data are involved.
"We deeply regret this incident and are fully committed to limiting the impact of this incident and providing our customers with all necessary support. It is important to emphasize that our operational services have not been affected; customers can continue to call, use the internet, and watch TV safely.
"Unauthorized access to the system was ended as quickly as possible. In addition, Odido has engaged external cybersecurity experts to support the implementation of additional security measures as part of the response to this incident."
The Register approached Odido for more information. ®