Class Action Filed Against Odido Over Data Leak Affecting 6.2M Dutch People

Privacy foundation Consumers United in Court (CUIC) launched a class action lawsuit on Monday against telecom provider Odido, following the massive data breach in early February that exposed the personal and financial data of 6.2 million current and former customers. The case is described as one of the largest privacy incidents in Dutch history.

Rentals in the Netherlands

Signaal tracks the Dutch rental market and notifies you the moment something matches your search. Be first to apply.

What happened

On 7 and 8 February 2026, hacker group ShinyHunters gained access to Odido's CRM system, a Salesforce platform used to manage customer data, through social engineering. The attackers first used phishing to obtain login credentials from individual customer service employees. The stolen data covered approximately 6.2 million accounts, roughly 90 percent of Odido's entire customer base. The data included names, addresses, phone numbers, email addresses, dates of birth, IBAN numbers and passport or driving licence numbers.

Odido is the company formerly known as T-Mobile Netherlands, which merged with Tele2 in 2019. Customers of subsidiary Ben were also affected.

ShinyHunters demanded a ransom of more than one million euros, threatening to publish the data if Odido refused to pay. Odido declined on principle. From that point, the hackers began releasing portions of the data daily on the dark web. On 1 March 2026, they ended the drip-feed and published the entire dataset at once.

What the lawsuit claims

According to CUIC, Odido was negligent on multiple counts: too much data was stored, it was held for too long, it was insufficiently secured, and customers were not adequately informed. CUIC chair Eliëtte Vaal said Odido had treated customer data security "as an afterthought in its business operations."

CUIC also wants Odido to send a detailed message to all affected customers explaining how the breach occurred, how the company responded, and what failures allowed the attack to succeed. The foundation also wants full clarity on exactly which data ended up in criminal hands, to help determine the extent of the damage.

The breach also revealed that Odido was retaining customer data long beyond its own stated retention period. Former customers who had cancelled their contracts up to a decade ago were informed that their data had been stolen, even though Odido's own policy is a maximum retention period of two years.

Real-world harm already documented

Following the full publication of the stolen data on 1 March, a wave of phishing attacks emerged targeting former Odido customers. A particularly convincing campaign impersonated the CJIB, the government fines collection agency. The timing was revealing: only people with Odido subscriptions received the fake emails, confirming the stolen data was being actively used for targeted fraud.

Who is behind the lawsuit and how to join

CUIC says it is an independent non-profit organisation, co-founded by Privacy First and the European data protection advocacy group None of Your Business. Affected customers can join the collective claim free of charge. Whether any compensation is ultimately paid will depend on a court ruling or settlement.

Odido has confirmed it is aware of the claim. The Dutch Data Protection Authority (Autoriteit Persoonsgegevens) is conducting a separate investigation into the breach.