Dutch investigators say they have strong indications that Dutch criminals were involved in the breach that exposed data of more than 6 million Odido customers, including a phone call in which a Dutch-speaking man posed as the telecom's own IT support.
The Dutch national police and the Public Prosecution Service said on July 9 that the investigation into the February cyberattack on telecom provider Odido has produced strong indications of Dutch involvement. The case is being run by the police's Team High Tech Crime under the National Public Prosecutor's Office.
The most concrete lead disclosed so far is a phone call. Shortly before the hack, a Dutch-speaking man contacted Odido's customer service posing as an internal IT employee, according to the statement. The company was then misled through phishing, after which the data theft took place. Police are still working to identify the caller and other people involved. They are urging him to turn himself in, and say his voice may be made public at a later stage.
The statement also offered a rare look at work done behind the scenes. Early in the investigation, police say they took multiple servers offline that the hacker group used to distribute the stolen data. Investigators believe the perpetrators have talked about the hack online or within their social circles, and they are openly appealing for tips, including anonymous ones.
The breach
The attack hit Odido in early February. Data belonging to more than 6 million customers was stolen and later published. The extortion group ShinyHunters claimed the breach and threatened to release records daily unless the company paid. Odido, acting on advice from government agencies and external advisers, refused. The group then dumped the dataset publicly in stages in late February, according to Dutch media reporting.
Earlier reporting by Dutch broadcaster NOS tied the intrusion to Odido's Salesforce environment and to a wider campaign in which attackers impersonate IT staff, steer employees into fraudulent login flows, and get around extra verification steps. Salesforce had warned customers about the method as recently as late January, days before the Odido breach. The police statement itself names neither Salesforce nor ShinyHunters.
Get the ICD Newsletter
Subscribe for source-forward cyber news, OSINT notes, breach updates, and analysis. Have evidence or a lead? Send it to ICD.