The largest mobile phone operator in the Netherlands has revealed a major data breach affecting millions of customers.
Odido said in a statement late last week that the incident affected a “customer contact system.”
Although the firm pointed out that no passwords, call details, or billing data were taken in the raid, for some users, compromised information included names, home and email addresses, IBANs, dates of birth and passport/driver’s license numbers.
That’s a potentially significant haul which could give threat actors plenty of opportunities to launch convincing spear-phishing attacks and identity fraud attempts.
Local reports claimed that as many as 6.2 million customers could be affected.
Read more on telco breaches: French Telco Orange Hit by Cyber-Attack.
“We deeply regret this incident and are fully committed to limiting the impact of this incident and providing our customers with all necessary support. It is important to emphasize that our operational services have not been affected; customers can continue to call, use the internet, and watch TV safely,” the Odido statement noted.
“Unauthorized access to the system was ended as quickly as possible. In addition, Odido has engaged external cybersecurity experts to support the implementation of additional security measures as part of the response to this incident.”
Aaron Colclough, VP of operations at cybersecurity firm Suzu Labs, explained that customer contact systems are popular targets for hackers given that they aggregate names, contact details and payment or identity data.
“Affected customers need clear, ongoing support, and both the company and regulators should be watching for misuse of the stolen data,” he added.
“Most organizations don't treat their contact and support platforms as critical infrastructure, but that's where customer data lives. Limit what lives in those systems. Beyond that, the worst time to discover your plan has holes is during an active breach. Running tabletop scenarios beforehand is how you find those holes and make sure your team can actually execute when it counts."
Odido urged customers to be prepared for suspicious phone calls, text messages, app messages and emails.
“Cybercriminals may exploit the situation by sending fake invoices that appear to come from Odido or other parties,” it added. “Therefore, always carefully check the origin and accuracy of received invoices before proceeding with payment. For example, you can always view an Odido invoice in your Mijn Odido environment. If you are in doubt, always contact us.”
Those impacted by the breach will be contacted by Odido directly.