Dutch Organizations Report Data Breaches and Extended Unauthorized Access
Dutch authorities reported a prolonged compromise at the Dutch prisons agency DJI, where attackers reportedly maintained access for at least five months. Exposed information included staff email addresses, phone numbers, and security certificates, and the Dutch NCSC indicated the intruders also accessed phones, tablets, and laptops, though the extent of data access on those endpoints was not confirmed; DJI did not confirm whether access had been fully removed.
Separately, Dutch telecom Odido disclosed a data breach followed by an extortion attempt, after which attackers publicly released about 1M records (including 317k unique email addresses) and threatened additional leaks. The published data reportedly included names, physical addresses, phone numbers, bank account numbers, and customer-service notes; Odido’s notice also warned that dates of birth and government ID numbers (passport/driver’s license) were impacted. A Canadian Tire breach entry describes a different incident in Canada (October 2025) involving ~42M records with PBKDF2-hashed passwords and some partial payment-card metadata, and is not part of the Netherlands-focused events above.
Related Entities
Organizations
Sources
Related Stories
Odido Customer Data Breach and Extortion Leak Campaign
Dutch telecom **Odido** reported that attackers stole data on **6.2 million** current and former customers, while the threat actor claimed the dataset covers **8+ million** people and demanded **€1M+** in ransom, threatening to publish data in daily tranches if unpaid. Reporting indicates the company refused to pay, and the extortionists proceeded with a staged leak strategy intended to maximize public and media impact. Subsequent leak batches reportedly included not only typical customer identifiers (e.g., names, addresses, phone numbers, dates of birth, bank account numbers, and ID numbers) but also **internal customer-service notes** containing highly sensitive context such as stalking, threats, domestic violence, and protected addresses—creating potential **physical safety risks** for affected individuals. The leak cadence was described as multiple dumps over consecutive days (including a “final dump”), drawing significant national attention in the Netherlands and increasing the likelihood of intensified law-enforcement focus on the perpetrators.
2 weeks ago
Odido Customer Contact System Breach Exposes Data of 6.2 Million Customers
Dutch telecommunications provider **Odido** disclosed a cyberattack in which threat actors gained unauthorized access to a **customer contact/CRM system** and **downloaded personal data** associated with approximately **6.2 million customer accounts**. Odido stated the intrusion was detected over the **February 7–8** weekend and that access was terminated as quickly as possible; the company also reported the incident to the Dutch Data Protection Authority (**Autoriteit Persoonsgegevens**) and engaged external cybersecurity experts to support investigation and additional defensive measures. Odido said its **telecom operations were not disrupted**, and no threat actor group has publicly claimed responsibility; reporting also notes the attackers allegedly contacted Odido to assert they had stolen millions of records. Exposed data varies by customer but may include **full name, address/place of residence, mobile number, customer number, email address, IBAN bank account number, date of birth, and identification document details** (e.g., passport/driver’s license number and validity). Odido emphasized that **passwords** (including for the *My Odido* portal), **call logs**, **location data**, **invoice/billing details**, and **scans of ID documents** were **not** affected. Odido is notifying impacted individuals via email from **`info@mail.odido.nl`** or by SMS, and warned that the stolen data could be used for **impersonation and phishing** attempts that appear to come from Odido.
1 months ago
Dutch Police Data Theft via Compromised Email and M365 Cloud Security Gaps
Dutch police suffered a major data theft attributed to a **Russian cyber group** after attackers gained access via an employee’s **email account** and exfiltrated sensitive personnel information. Stolen data reportedly included the contact details of nearly all **~65,000 police officers**, along with profile photos and other personal data, triggering significant internal unrest and concern about officer safety and privacy. Investigative reporting indicates the organization had been **warned in advance** about security weaknesses relevant to the intrusion path. Documents obtained under the Netherlands’ Open Government/Woo framework describe an internal **November 2022 risk analysis** that raised concerns about the implementation and security of Microsoft’s **M365 cloud** (used for tools such as *Teams*), explicitly noting “inherent” cloud risks and that **state actors** would be highly motivated to access the environment. Following the 2024 theft, police reportedly stood up a heavy crisis response structure (the *Nationale Staf Grootschalig en Bijzonder Optreden*) to reduce immediate risk and implement additional security measures, while political and union voices characterized the incident as severe and questioned why earlier warnings were not acted upon.
1 months ago