The attacker contacted our customer service team pretending to be a member of our IT staff. The first voice phishing (“vishing”) attack took place on 5 February, with another attack on 6 February. In both instances, our team detected the unauthorized access immediately, investigated the incident and revoked the threat actor’s access. Phishing attacks like this are not uncommon, and our staff are trained to detect them. But the specific attack that led to data exfiltration was very sophisticated. Because Ben is part of Odido, Ben has also been affected by this attack.

A cybercriminal organization known as ‘ShinyHunters’.

Our teams have worked closely with external cybersecurity experts to understand the full scope of the incident and the affected data. We have concluded our data analysis in relation to notifications that we have sent to our customers.

Yes, all our services remain fully available – they were not affected by the cyberattack. Customers can continue to call and use the internet safely.

Simpel customers were not impacted by the attack.

In total, approximately 6.39 million people were affected by the cyberattack. We informed the vast majority of them in the initial notification within days of confirming the breach via a personal e-mail or SMS. These were both active and inactive customers of Odido and Ben. Further analysis in the weeks after the attack showed that additional notifications needed to be issued to a small group of customers who had not yet been reached. 

We have contacted all customers whom we determined to have been affected via e-mail or SMS. In addition, we provided information to our customers through a dedicated webpage and through our service agents and retails organisation.

One of the most important lessons we’ve learned is how difficult it can be for an organization – particularly one of our size – to complete a full analysis of the data impacted in a cyberattack. 

As a result, balancing speed and accuracy in our communications was a significant challenge. We wanted to be on the front-foot, so we informed millions of customers within days that their data had been impacted. As our investigation progressed and more detailed findings became available, we provided customers with updated information to ensure they had the most accurate and complete picture.

Throughout the past few months, we have scaled up our capacity by over 140 agents to answer customer questions and further help customers. We’ve also offered customers practical protective options, such as the option to change their phone number, to help protect against threats. We promise to continue to offer additional security measures for our customers over the coming months, including access to digital security service F-Secure.

The data affected differed per person and included information such as name, address, mobile number, customer number, email address, IBAN number, date of birth, identification details, nationality and gender. To be clear, the data did not include Ik Ben passwords, call details, location data, billing data or scans of identity documents. 

In limited cases, additional information you may have shared with our customer service team could also have been affected. If you have questions about your specific situation, you can submit a data access request

No, this is incorrect. We would like to emphasize that no passwords from Ik Ben or other login systems have been leaked. The passwords that customers use to log in are stored in encrypted form and have never been accessible. Your Ik Ben account is secure. 

What has been leaked is a field from the customer contact system called “password_c”. Despite its name, this is not a password, but a so-called challenge word or code word. This was used as an additional security question when a customer contacted us by telephone. This code word does not give access to accounts, services or personal data and is completely separate from the systems in which customers log in. 

This additional code word was registered for a limited group of customers. As soon as we heard that these code words were included in the leak, telephone verification based on these code words was immediately discontinued.

The Dutch Banking Association (NVB) has emphasized that it is not possible to log in to your banking environment with a bank account number, such as your banking app or online banking. It is therefore our opinion that the incident does not necessitate changing your bank account number. You can find the NVB's advice here: https://www.nvb.nl/nieuws/datalek-odido/

We know that you want to confirm the data that was leaked from you individually; you can look at the F-secure service or the website ‘Check je hack’ for confirmation.

The main part of the affected data was used as part of everyday business practices to enable our sales and customer services teams to do their jobs. Other parts of the affected data were retained in line with customary retention periods. We are conducting a full critical review of our data retention policies and processes.

Ben has a standard process in place for requests to delete customer data, which is handled by a dedicated team. This process also allows us to verify the identity of the person making the request, helping to ensure your data is protected. We would be grateful if you could submit your request via the form on our website: ben.nl/privacy.

Acting on clear and consistent guidance from authorities, we did not pay the ransom. We knew that this decision could lead to the stolen data being published. But, ultimately, there could be no other decision. We strongly believe that criminal organizations should not be rewarded for illegal activities; paying the ransom could put a target on the back of other Dutch businesses. 

Of course, we understand the impact of this decision – and this incident - on all our customers. Our focus has always been – and remains – supporting those affected.

Ben never sends messages asking you to change your password. Stay alert, and if you don’t trust a message, don’t take any action. For tips on how to recognize phishing, visit ben.nl/phishing.

We have offered customers practical protective options, such as the option to change their phone number, and free access to digital security service F-Secure, to help protect devices against phishing, malware and other online threats.

You get 24 months of free access to the F‑Secure digital security service. Text VOUCHER to 1935 before 31st August 2026 to activate your 24-month subscription.

First and foremost, we’re working closely with external cybersecurity experts to enhance our security posture. We have already implemented additional security measures and we’ve created a task force to assess our entire IT landscape. 

We are committed to implementing any further measures identified through this assessment. We are also introducing additional training programs – including cybersecurity e-learning modules – to ensure our people are a stronger first-line of defense against cyber threats. 

And critically, we have strengthened our data governance by adding extra external expertise and capacity. In light of the incident we are doing a full critical review of our data retention policies and processes.

For safety reasons, we cannot disclose exactly what we are doing to further strengthen and protect our systems.

We understand that you may still have questions. If you have questions that are not answered on this page, please contact us: https://www.ben.nl/service/contact