February 2026 has delivered a relentless barrage of data breaches spanning telecom, financial services, aviation, and critical infrastructure across four continents. The month's most devastating incident struck the Netherlands, where telecom giant Odido confirmed that 6.2 million customers had their personal data stolen, including bank account numbers, passport details, and home addresses, in one of the largest breaches in Dutch history. Meanwhile, ShinyHunters, the prolific hacking group behind November 2025's massive Salesforce/Gainsight supply chain attack, continued their rampage into 2026 by compromising 1.4 million Betterment accounts through social engineering attacks targeting employees. Japan Airlines disclosed unauthorized access affecting 28,000 users, with a disturbing twist: the attackers had been inside their systems since July 2024, an 18-month dwell time. The week of February 2-8 alone saw 182 ransomware victims across 38 countries claimed by 34 distinct ransomware operators, underscoring the industrial scale of modern cybercrime. From oil pipeline operators in Romania to national citizen databases in Senegal, no sector and no geography is safe.
⚠️ Important: 🚨 BREACH SEVERITY ALERT: If your organization uses third-party customer contact platforms, employee-facing marketing tools, or file-sharing services, review your vendor security posture immediately. February's breaches share a common thread: attackers are bypassing perimeter defenses by targeting employees through social engineering and exploiting third-party vendor access. ShinyHunters' pivot from supply chain attacks to employee phishing signals an evolution in tactics. Telecom customers in the Netherlands should monitor for identity fraud. Betterment users should enable multi-factor authentication on all financial accounts and watch for fraudulent crypto investment emails.
Odido: 6.2 Million Dutch Telecom Customers Exposed
Breach Overview:
• Victim: Odido (formerly T-Mobile Netherlands), the largest mobile phone operator in the Netherlands
• Date Discovered: February 7, 2026
• Records Exposed: 6.2 million customers (roughly one-third of the Dutch population)
• Attack Vector: Compromised customer contact system
• Reported To: Dutch Data Protection Authority (Autoriteit Persoonsgegevens)
Data Stolen (Confirmed):
• Full names
• Bank account numbers (IBAN)
• Home addresses
• Mobile phone numbers
• Email addresses
• Customer account numbers
• Identity documents (passports, driver's licenses)
Data NOT Compromised (Per Odido Statement):
• Passwords and login credentials
• Call detail records
• Billing and payment history
• Location data
• Scanned copies of identity documents
Why This Breach Is Exceptionally Dangerous:
Dutch security experts have described the stolen data combination as "worth gold for criminals." The combination of IBAN numbers, identity documents, and personal contact details creates a perfect storm for:
• Bank fraud: IBAN numbers combined with names and addresses enable unauthorized direct debit transactions across European SEPA banking
• Identity theft: Passport and driver's license numbers allow criminals to open accounts, apply for credit, or create fraudulent identities
• Targeted phishing: With phone numbers, emails, and account details, attackers can craft highly convincing phishing messages impersonating Odido or Dutch banks
• SIM swap attacks: Mobile numbers linked to identity data enable SIM swapping for two-factor authentication bypass
GDPR Implications:
As a Dutch company processing EU citizen data, Odido faces significant GDPR exposure:
• Article 33: Mandatory 72-hour breach notification to Dutch DPA (completed)
• Article 34: Individual notification to affected data subjects required given the high risk to rights and freedoms
• Potential Fines: Up to 4% of annual global turnover or 20 million EUR, whichever is higher
• Precedent: Dutch DPA previously fined T-Mobile Netherlands 475,000 EUR for a 2020 breach. This breach is orders of magnitude larger
• Class Action Risk: Dutch collective action lawsuits for privacy violations have surged since GDPR enforcement began
Lessons for Organizations:
• Customer contact systems are high-value targets: These systems aggregate the most sensitive customer data in one place
• Telecom data is uniquely dangerous: Phone numbers, IBANs, and identity documents together enable cascading fraud
• GDPR compliance is not optional: Organizations must implement technical and organizational measures proportionate to the risk of processing
ShinyHunters Strike Again: 1.4 Million Betterment Accounts
Breach Overview:
• Victim: Betterment (automated investment and fintech platform)
• Attack Date: January 9, 2026 (disclosed January 10, public notification February 2026)
• Records Exposed: 1,435,174 accounts
• Threat Actor: ShinyHunters (confirmed claim of responsibility)
• Attack Vector: Social engineering and phishing of Betterment employees
Data Stolen:
• Email addresses
• Full names
• Dates of birth
• Physical addresses
• Phone numbers
• Device information
• Employer locations and job titles
Data NOT Compromised (Per Betterment):
• Account passwords
• Financial account balances
• Investment holdings
• Social Security numbers
• Bank account or routing numbers
How the Attack Worked:
ShinyHunters used a notably different approach from their November 2025 Salesforce/Gainsight supply chain attack:
Step 1: Employee Targeting
• Identified Betterment employees with access to third-party operational platforms
• Crafted targeted phishing emails impersonating internal IT or vendor communications
• Successfully compromised employee credentials through social engineering
Step 2: Third-Party Platform Access
• Used stolen credentials to access marketing and customer support platforms
• These platforms contained customer contact data, demographic information, and account metadata
• Attackers did not breach Betterment's core financial systems
Step 3: Data Exfiltration and Weaponization
• Extracted 1.4 million customer records from operational platforms
• Immediately began sending fraudulent cryptocurrency investment emails to stolen addresses
• Attempted to leverage trust in Betterment brand for secondary scam
ShinyHunters' Evolving Tactics (2025-2026 Timeline):
• November 2025: Supply chain attack via Salesforce/Gainsight apps, compromising approximately 1,000 companies simultaneously
• January 2026: Pivoted to direct social engineering, targeting individual company employees
• Pattern: Consistently targets third-party platforms rather than core systems, exploiting the weaker security of marketing, CRM, and support tools
Compliance Implications:
• SEC Disclosure: As a registered investment advisor, Betterment faces SEC cybersecurity disclosure requirements under 2023 rules
• State Privacy Laws: With 1.4M affected accounts across multiple states, Betterment must comply with breach notification laws in all 50 states plus new comprehensive privacy laws (Indiana, Kentucky, Rhode Island)
• FINRA Requirements: Financial industry cybersecurity obligations require documented incident response and customer notification
Actionable Takeaway:
ShinyHunters' shift from supply chain exploitation to employee social engineering confirms that human factors remain the weakest link in organizational security. Organizations must invest in security awareness training, implement phishing-resistant multi-factor authentication (FIDO2/WebAuthn), and audit third-party platform access controls.
Other Major February 2026 Breaches
1. Japan Airlines: 28,000 Users, 18-Month Dwell Time
• Discovery Date: February 9, 2026
• Breach Duration: Since July 2024 (approximately 18 months of unauthorized access)
• Records Exposed: 28,000+ user accounts
• Data Compromised: Names, phone numbers, email addresses, travel details
• Key Concern: The 18-month dwell time suggests sophisticated, persistent threat actors who evaded detection for over a year. Travel data (itineraries, destinations, frequent flyer details) is valuable for targeted phishing and physical security threats against high-profile travelers.
2. Iron Mountain: Ransomware Exaggeration Case Study
• Date: February 2, 2026
• Threat Actor: Everest ransomware gang
• Claimed: 1.4 TB of stolen data from the enterprise information management company
• Reality: Investigation revealed the breach was far more limited than claimed
• Actual Impact: Single compromised credential on a third-party file-sharing site
• Data Exposed: Marketing materials only, no customer sensitive data
• No ransomware deployed, core infrastructure remained secure
Lesson: Ransomware gangs routinely exaggerate breach severity to pressure victims. Iron Mountain's transparent investigation and disclosure is a model response: investigate thoroughly before reacting to attacker claims.
3. Conpet (Romania): Oil Pipeline Operator Hit by Qilin Ransomware
• Date: February 2026
• Threat Actor: Qilin ransomware group
• Victim: Conpet, Romania's national oil pipeline transport operator
• Data Compromised: 1 TB including internal documents, employee passports, financial information
• Significance: Critical infrastructure targeting continues to escalate. Energy sector organizations face both data theft and potential operational disruption risks. EU NIS2 Directive compliance is now essential for critical infrastructure operators.
4. DAF Senegal: 139 TB National Citizen Database
• Date: February 2026
• Victim: Senegalese government citizen database (Direction de l'Automatisation des Fichiers)
• Data Compromised: 139 TB including citizen records, biometric data, immigration documents
• Impact: 5-day operational disruption to national government services
• Significance: Nation-state-scale breach affecting an entire country's citizen records, highlighting the vulnerability of government digital infrastructure in developing nations.
5. Additional February Breaches:
• Substack: Email addresses and phone numbers exposed through platform vulnerability
• Dutch Data Protection Authority: Ironically breached via Ivanti VPN exploit, the very agency that enforces GDPR
• Hawk Law Group: INC ransomware attack on legal firm, potentially exposing privileged client communications
• Terry Reilly Health Services: Healthcare vendor breach exposing patient data
• Flickr: Third-party integration breach exposing user data
Weekly Ransomware Statistics (February 2-8, 2026):
• 182 ransomware victims claimed in a single week
• 38 countries affected
• 34 distinct ransomware operators active simultaneously
These numbers represent the full industrialization of ransomware. With 34 separate operators running concurrent campaigns across nearly 40 countries, ransomware has evolved from isolated criminal enterprises into a global industry with specialization, supply chains, and affiliate networks.
Is Your Website Prepared for the 2026 Threat Landscape?
February's breaches exploited weak security headers, unpatched third-party integrations, and inadequate access controls. Our free security scanner checks your SSL configuration, security headers, and common vulnerabilities in under 30 seconds.
Run Free Security Scan →Protection Strategies: Lessons from February's Breaches
February 2026's breach landscape reveals consistent attack patterns that organizations can defend against with targeted measures:
1. Harden Third-Party Vendor Access
Both the Odido and Betterment breaches exploited third-party platforms (customer contact systems and marketing tools). Organizations must:
• Audit all vendor integrations: Inventory every third-party platform that accesses customer data
• Apply least-privilege access: Marketing tools should not have access to IBAN numbers or identity documents
• Implement vendor security assessments: Require SOC 2 Type II or ISO 27001 certification from vendors handling sensitive data
• Segment vendor access: Use separate credential sets and network zones for third-party integrations
2. Deploy Phishing-Resistant Authentication
ShinyHunters' social engineering attack on Betterment employees bypassed traditional MFA. Upgrade to:
• FIDO2/WebAuthn hardware keys: Physical security keys that cannot be phished
• Passkeys: Platform-native passwordless authentication tied to device biometrics
• Conditional access policies: Require hardware tokens for access to customer data platforms
• Regular phishing simulations: Test employees quarterly with realistic phishing scenarios
3. Reduce Dwell Time with Detection Engineering
Japan Airlines' 18-month dwell time is unacceptable. Implement:
• Behavioral analytics: Detect anomalous data access patterns (unusual query volumes, off-hours access)
• Canary tokens: Deploy decoy files and credentials that alert when accessed
• 24/7 SOC monitoring: Managed detection and response for organizations without in-house capability
• Regular threat hunting: Proactive searches for indicators of compromise, not just reactive alerting
4. Prepare for Ransomware Inevitability
With 34 ransomware operators active simultaneously and 182 victims in a single week:
• Maintain offline backups: Air-gapped backup copies tested monthly for restoration
• Develop incident response playbooks: Pre-written procedures for ransomware scenarios including legal, communications, and technical response
• Carry cyber insurance: Ensure policy covers ransomware, business interruption, and breach notification costs
• Segment networks: Prevent lateral movement by isolating critical systems from general-purpose networks
5. Implement Security Headers and Web Protections
Basic web security hygiene prevents many common attack vectors:
• Content-Security-Policy: Prevent cross-site scripting and data injection
• Strict-Transport-Security: Enforce HTTPS connections
• X-Frame-Options: Prevent clickjacking attacks
• Permissions-Policy: Control browser feature access (camera, microphone, geolocation)
• Referrer-Policy: Limit information leakage through HTTP referrer headers
• X-Content-Type-Options: Prevent MIME type sniffing attacks
February 2026 reinforces the patterns that defined the breach landscape throughout 2025 and into the new year: third-party vendor compromise, social engineering, and ransomware industrialization remain the dominant attack vectors. Odido's 6.2 million customer breach demonstrates that telecom companies, which aggregate some of the most sensitive personal data imaginable (identity documents, bank details, and phone numbers), remain high-value targets with massive GDPR exposure. ShinyHunters' continued evolution, pivoting from supply chain attacks in November 2025 to direct employee phishing in January 2026, shows that sophisticated threat actors adapt their tactics faster than most organizations update their defenses.
The scale of ransomware activity, 182 victims across 38 countries by 34 operators in a single week, confirms that ransomware has fully industrialized. This is no longer a problem that individual organizations can ignore or assume will not affect them. Every business with digital assets is a potential target.
Compliance Angle: February's breaches carry significant regulatory implications. Odido faces potential GDPR fines of up to 4% of global turnover. Betterment must navigate SEC cybersecurity disclosure rules, FINRA requirements, and breach notification laws in all 50 states. The Conpet pipeline breach raises NIS2 Directive compliance questions for critical infrastructure operators across Europe. Japan Airlines' 18-month dwell time raises questions about whether adequate detection controls were in place as required by Japan's Act on the Protection of Personal Information (APPI).
For website owners and compliance officers, the message is clear: scan your web properties for security vulnerabilities, audit your vendor relationships, train your employees against social engineering, and ensure your breach response plans are current. The cost of prevention is measured in hours. The cost of a breach is measured in millions of dollars, regulatory penalties, and irreparable damage to customer trust.
Run a free security scan at scancomply.com/security-scan to identify vulnerabilities in your SSL configuration, security headers, and common exposure points before attackers find them first.