February 2026 has delivered a relentless barrage of data breaches spanning telecom, financial services, aviation, and critical infrastructure across four continents. The month's most devastating incident struck the Netherlands, where telecom giant Odido confirmed that 6.2 million customers had their personal data stolen, including bank account numbers, passport details, and home addresses, in one of the largest breaches in Dutch history. Meanwhile, ShinyHunters, the prolific hacking group behind November 2025's massive Salesforce/Gainsight supply chain attack, continued their rampage into 2026 by compromising 1.4 million Betterment accounts through social engineering attacks targeting employees. Japan Airlines disclosed unauthorized access affecting 28,000 users, with a disturbing twist: the attackers had been inside their systems since July 2024, an 18-month dwell time. The week of February 2-8 alone saw 182 ransomware victims across 38 countries claimed by 34 distinct ransomware operators, underscoring the industrial scale of modern cybercrime. From oil pipeline operators in Romania to national citizen databases in Senegal, no sector and no geography is safe.
⚠️ Important: 🚨 BREACH SEVERITY ALERT: If your organization uses third-party customer contact platforms, employee-facing marketing tools, or file-sharing services, review your vendor security posture immediately. February's breaches share a common thread: attackers are bypassing perimeter defenses by targeting employees through social engineering and exploiting third-party vendor access. ShinyHunters' pivot from supply chain attacks to employee phishing signals an evolution in tactics. Telecom customers in the Netherlands should monitor for identity fraud. Betterment users should enable multi-factor authentication on all financial accounts and watch for fraudulent crypto investment emails.
Odido: 6.2 Million Dutch Telecom Customers Exposed
• Victim: Odido (formerly T-Mobile Netherlands), the largest mobile phone operator in the Netherlands
• Date Discovered: February 7, 2026
• Records Exposed: 6.2 million customers (roughly one-third of the Dutch population)
• Attack Vector: Compromised customer contact system
• Reported To: Dutch Data Protection Authority (Autoriteit Persoonsgegevens)
• Full names
• Bank account numbers (IBAN)
• Home addresses
• Mobile phone numbers
• Email addresses
• Customer account numbers
• Identity documents (passports, driver's licenses)
• Passwords and login credentials
• Call detail records
• Billing and payment history
• Location data
• Scanned copies of identity documents
• Identity theft: Passport and driver's license numbers allow criminals to open accounts, apply for credit, or create fraudulent identities
• Targeted phishing: With phone numbers, emails, and account details, attackers can craft highly convincing phishing messages impersonating Odido or Dutch banks
• SIM swap attacks: Mobile numbers linked to identity data enable SIM swapping for two-factor authentication bypass
• Article 34: Individual notification to affected data subjects required given the high risk to rights and freedoms
• Potential Fines: Up to 4% of annual global turnover or 20 million EUR, whichever is higher
• Precedent: Dutch DPA previously fined T-Mobile Netherlands 475,000 EUR for a 2020 breach. This breach is orders of magnitude larger
• Class Action Risk: Dutch collective action lawsuits for privacy violations have surged since GDPR enforcement began
• Telecom data is uniquely dangerous: Phone numbers, IBANs, and identity documents together enable cascading fraud
• GDPR compliance is not optional: Organizations must implement technical and organizational measures proportionate to the risk of processing
ShinyHunters Strike Again: 1.4 Million Betterment Accounts
• Victim: Betterment (automated investment and fintech platform)
• Attack Date: January 9, 2026 (disclosed January 10, public notification February 2026)
• Records Exposed: 1,435,174 accounts
• Threat Actor: ShinyHunters (confirmed claim of responsibility)
• Attack Vector: Social engineering and phishing of Betterment employees
• Email addresses
• Full names
• Dates of birth
• Physical addresses
• Phone numbers
• Device information
• Employer locations and job titles
• Account passwords
• Financial account balances
• Investment holdings
• Social Security numbers
• Bank account or routing numbers
• Identified Betterment employees with access to third-party operational platforms
• Crafted targeted phishing emails impersonating internal IT or vendor communications
• Successfully compromised employee credentials through social engineering
• Used stolen credentials to access marketing and customer support platforms
• These platforms contained customer contact data, demographic information, and account metadata
• Attackers did not breach Betterment's core financial systems
• Extracted 1.4 million customer records from operational platforms
• Immediately began sending fraudulent cryptocurrency investment emails to stolen addresses
• Attempted to leverage trust in Betterment brand for secondary scam
• January 2026: Pivoted to direct social engineering, targeting individual company employees
• Pattern: Consistently targets third-party platforms rather than core systems, exploiting the weaker security of marketing, CRM, and support tools
• State Privacy Laws: With 1.4M affected accounts across multiple states, Betterment must comply with breach notification laws in all 50 states plus new comprehensive privacy laws (Indiana, Kentucky, Rhode Island)
• FINRA Requirements: Financial industry cybersecurity obligations require documented incident response and customer notification
Other Major February 2026 Breaches
• Breach Duration: Since July 2024 (approximately 18 months of unauthorized access)
• Records Exposed: 28,000+ user accounts
• Data Compromised: Names, phone numbers, email addresses, travel details
• Key Concern: The 18-month dwell time suggests sophisticated, persistent threat actors who evaded detection for over a year. Travel data (itineraries, destinations, frequent flyer details) is valuable for targeted phishing and physical security threats against high-profile travelers.
• Threat Actor: Everest ransomware gang
• Claimed: 1.4 TB of stolen data from the enterprise information management company
• Reality: Investigation revealed the breach was far more limited than claimed
• Actual Impact: Single compromised credential on a third-party file-sharing site
• Data Exposed: Marketing materials only, no customer sensitive data
• No ransomware deployed, core infrastructure remained secure
• Threat Actor: Qilin ransomware group
• Victim: Conpet, Romania's national oil pipeline transport operator
• Data Compromised: 1 TB including internal documents, employee passports, financial information
• Significance: Critical infrastructure targeting continues to escalate. Energy sector organizations face both data theft and potential operational disruption risks. EU NIS2 Directive compliance is now essential for critical infrastructure operators.
• Victim: Senegalese government citizen database (Direction de l'Automatisation des Fichiers)
• Data Compromised: 139 TB including citizen records, biometric data, immigration documents
• Impact: 5-day operational disruption to national government services
• Significance: Nation-state-scale breach affecting an entire country's citizen records, highlighting the vulnerability of government digital infrastructure in developing nations.
• Dutch Data Protection Authority: Ironically breached via Ivanti VPN exploit, the very agency that enforces GDPR
• Hawk Law Group: INC ransomware attack on legal firm, potentially exposing privileged client communications
• Terry Reilly Health Services: Healthcare vendor breach exposing patient data
• Flickr: Third-party integration breach exposing user data
• 38 countries affected
• 34 distinct ransomware operators active simultaneously
Is Your Website Prepared for the 2026 Threat Landscape?
February's breaches exploited weak security headers, unpatched third-party integrations, and inadequate access controls. Our free security scanner checks your SSL configuration, security headers, and common vulnerabilities in under 30 seconds.
Run Free Security Scan →Protection Strategies: Lessons from February's Breaches
• Apply least-privilege access: Marketing tools should not have access to IBAN numbers or identity documents
• Implement vendor security assessments: Require SOC 2 Type II or ISO 27001 certification from vendors handling sensitive data
• Segment vendor access: Use separate credential sets and network zones for third-party integrations
• Passkeys: Platform-native passwordless authentication tied to device biometrics
• Conditional access policies: Require hardware tokens for access to customer data platforms
• Regular phishing simulations: Test employees quarterly with realistic phishing scenarios
• Canary tokens: Deploy decoy files and credentials that alert when accessed
• 24/7 SOC monitoring: Managed detection and response for organizations without in-house capability
• Regular threat hunting: Proactive searches for indicators of compromise, not just reactive alerting
• Develop incident response playbooks: Pre-written procedures for ransomware scenarios including legal, communications, and technical response
• Carry cyber insurance: Ensure policy covers ransomware, business interruption, and breach notification costs
• Segment networks: Prevent lateral movement by isolating critical systems from general-purpose networks
• Strict-Transport-Security: Enforce HTTPS connections
• X-Frame-Options: Prevent clickjacking attacks
• Permissions-Policy: Control browser feature access (camera, microphone, geolocation)
• Referrer-Policy: Limit information leakage through HTTP referrer headers
• X-Content-Type-Options: Prevent MIME type sniffing attacks
February 2026 reinforces the patterns that defined the breach landscape throughout 2025 and into the new year: third-party vendor compromise, social engineering, and ransomware industrialization remain the dominant attack vectors. Odido's 6.2 million customer breach demonstrates that telecom companies, which aggregate some of the most sensitive personal data imaginable (identity documents, bank details, and phone numbers), remain high-value targets with massive GDPR exposure. ShinyHunters' continued evolution, pivoting from supply chain attacks in November 2025 to direct employee phishing in January 2026, shows that sophisticated threat actors adapt their tactics faster than most organizations update their defenses.
The scale of ransomware activity, 182 victims across 38 countries by 34 operators in a single week, confirms that ransomware has fully industrialized. This is no longer a problem that individual organizations can ignore or assume will not affect them. Every business with digital assets is a potential target.
Compliance Angle: February's breaches carry significant regulatory implications. Odido faces potential GDPR fines of up to 4% of global turnover. Betterment must navigate SEC cybersecurity disclosure rules, FINRA requirements, and breach notification laws in all 50 states. The Conpet pipeline breach raises NIS2 Directive compliance questions for critical infrastructure operators across Europe. Japan Airlines' 18-month dwell time raises questions about whether adequate detection controls were in place as required by Japan's Act on the Protection of Personal Information (APPI).
For website owners and compliance officers, the message is clear: scan your web properties for security vulnerabilities, audit your vendor relationships, train your employees against social engineering, and ensure your breach response plans are current. The cost of prevention is measured in hours. The cost of a breach is measured in millions of dollars, regulatory penalties, and irreparable damage to customer trust.
Run a free security scan at scancomply.com/security-scan to identify vulnerabilities in your SSL configuration, security headers, and common exposure points before attackers find them first.