Dutch Organizations Report Data Breaches and Extended Unauthorized Access
Dutch authorities reported a prolonged compromise at the Dutch prisons agency DJI, where attackers reportedly maintained access for at least five months. Exposed information included staff email addresses, phone numbers, and security certificates, and the Dutch NCSC indicated the intruders also accessed phones, tablets, and laptops, though the extent of data access on those endpoints was not confirmed; DJI did not confirm whether access had been fully removed.
Separately, Dutch telecom Odido disclosed a data breach followed by an extortion attempt, after which attackers publicly released about 1M records (including 317k unique email addresses) and threatened additional leaks. The published data reportedly included names, physical addresses, phone numbers, bank account numbers, and customer-service notes; Odido’s notice also warned that dates of birth and government ID numbers (passport/driver’s license) were impacted. A Canadian Tire breach entry describes a different incident in Canada (October 2025) involving ~42M records with PBKDF2-hashed passwords and some partial payment-card metadata, and is not part of the Netherlands-focused events above.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Odido publishes breach notice and customer FAQ
Following the breach and data publication, Odido issued a public disclosure notice and an FAQ to help affected customers understand the incident and its impact. The notice acknowledged the exposure of customer information after the extortion-linked breach.
Investigation reveals five months of access to prison staff data
A Dutch News report citing the Argos radio programme disclosed that hackers had maintained access to Dutch prisons agency data for at least five months. DJI did not confirm whether the attackers still had access to its systems at the time of reporting.
Odido customer data is published in four consecutive releases
After the Odido breach, 6 million unique email addresses were published across four separate data releases on consecutive days. The leaked data included extensive personal and financial records tied to affected customers.
Odido suffers data breach and extortion attempt
In February 2026, Dutch telecommunications company Odido experienced a data breach followed by an extortion attempt. The incident exposed extensive personal and financial information, including names, addresses, phone numbers, bank account numbers, dates of birth, customer service notes, and government identity document numbers.
Hackers gain access to Dutch prisons agency data
Attackers had access to data from the Dutch prisons agency (DJI) for at least five months, according to an investigation cited by Dutch News and the Argos radio programme. The exposed information reportedly included prison staff email addresses, phone numbers, and security certificates, and the NCSC said phones, tablets, and laptops were also compromised.
Sources
1 reference tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Odido Customer Data Breach and Extortion Leak Campaign
Dutch telecom **Odido** reported that attackers stole data on **6.2 million** current and former customers, while the threat actor claimed the dataset covers **8+ million** people and demanded **€1M+** in ransom, threatening to publish data in daily tranches if unpaid. Reporting indicates the company refused to pay, and the extortionists proceeded with a staged leak strategy intended to maximize public and media impact. Subsequent leak batches reportedly included not only typical customer identifiers (e.g., names, addresses, phone numbers, dates of birth, bank account numbers, and ID numbers) but also **internal customer-service notes** containing highly sensitive context such as stalking, threats, domestic violence, and protected addresses—creating potential **physical safety risks** for affected individuals. The leak cadence was described as multiple dumps over consecutive days (including a “final dump”), drawing significant national attention in the Netherlands and increasing the likelihood of intensified law-enforcement focus on the perpetrators.
Mar 27, 2026
Odido Customer Contact System Breach Exposes Data of 6.2 Million Customers
Dutch telecommunications provider **Odido** disclosed a cyberattack in which threat actors gained unauthorized access to a **customer contact/CRM system** and **downloaded personal data** associated with approximately **6.2 million customer accounts**. Odido stated the intrusion was detected over the **February 7–8** weekend and that access was terminated as quickly as possible; the company also reported the incident to the Dutch Data Protection Authority (**Autoriteit Persoonsgegevens**) and engaged external cybersecurity experts to support investigation and additional defensive measures. Odido said its **telecom operations were not disrupted**, and no threat actor group has publicly claimed responsibility; reporting also notes the attackers allegedly contacted Odido to assert they had stolen millions of records. Exposed data varies by customer but may include **full name, address/place of residence, mobile number, customer number, email address, IBAN bank account number, date of birth, and identification document details** (e.g., passport/driver’s license number and validity). Odido emphasized that **passwords** (including for the *My Odido* portal), **call logs**, **location data**, **invoice/billing details**, and **scans of ID documents** were **not** affected. Odido is notifying impacted individuals via email from **`info@mail.odido.nl`** or by SMS, and warned that the stolen data could be used for **impersonation and phishing** attempts that appear to come from Odido.
Mar 21, 2026
Dutch Police Data Theft via Compromised Email and M365 Cloud Security Gaps
Dutch police suffered a major data theft attributed to a **Russian cyber group** after attackers gained access via an employee’s **email account** and exfiltrated sensitive personnel information. Stolen data reportedly included the contact details of nearly all **~65,000 police officers**, along with profile photos and other personal data, triggering significant internal unrest and concern about officer safety and privacy. Investigative reporting indicates the organization had been **warned in advance** about security weaknesses relevant to the intrusion path. Documents obtained under the Netherlands’ Open Government/Woo framework describe an internal **November 2022 risk analysis** that raised concerns about the implementation and security of Microsoft’s **M365 cloud** (used for tools such as *Teams*), explicitly noting “inherent” cloud risks and that **state actors** would be highly motivated to access the environment. Following the 2024 theft, police reportedly stood up a heavy crisis response structure (the *Nationale Staf Grootschalig en Bijzonder Optreden*) to reduce immediate risk and implement additional security measures, while political and union voices characterized the incident as severe and questioned why earlier warnings were not acted upon.
Mar 21, 2026