In February 2025, Dutch telecom operator Odido  disclosed a breach affecting 6.2 million current and former customers, roughly a third of the country’s population, and the largest telecom breach in Dutch history. Attackers socially engineered an outsourced call center employee into approving a fraudulent MFA request, gaining access to Odido’s Salesforce CRM environment and exfiltrating highly sensitive data including passport numbers, IBANs, and dates of birth. What follows is reminiscent of a binge-worthy streaming drama: When Odido refused to pay, the attackers deliberately and publicly escalated , leaking all stolen customer data on a dark-web leak site, threatening releases of up to a million records per day, and briefing media.  The breach transformed into a sustained, public extortion campaign.  An independent IT security consultant and ethical hacker intensified the debate by launching a crowdfunding campaign to pay the ransom, against police advice.

Unpacking The Breach: A Failure In Four Acts

For security leaders, the real story is not just about MFA failures or even social engineering.  It is a lesson in executive decisions: how customer data was governed, critical systems were architected, and how much risk was implicitly accepted.  The breach:

  •  Began as a combined social engineering and MFA bypass attack.  On the surface, the attack was a standard human-related breach.  Attackers used basic social engineering combined with increasingly sophisticated MFA bypass techniques, where phishing kits make it compelling for users to share credentials and accept MFA challenges.
  • Enabled by a blast radius banked into the design before the attack began. A single customer service account was granted overly broad access, with visibility into the millions of customers’ personally identifiable information.
  • Exasperated by retaining data which Odido had committed to delete. Despite being bound by contractual terms requiring deletion within two years of contract termination, Odido kept personal data from former customers going back nearly a decade. This violates GDPR requirements, including data minimization and security obligations, and resulted in former customers from as far back as 2016 receiving breach notifications.
  • Treated CRM as just another business app. Odido’s Salesforce environment held millions of customer records, yet seemed to have inherited the light-touch governance of a commodity business app.  The assumption was that the CRM was secured by the vendor.  Security controls were likely set to default, with broad access unchallenged, and monitoring that did not detect data pulls.  

The Fallout

In the days after disclosure, nearly a quarter of all Dutch customers switching mobile providers came from Odido. With daily leaks and hackers feeding journalists, that damage keeps compounding. Unlike passwords, stolen names, addresses, and dates of birth retain their value to criminals for years.  In some cases, like stalking or domestic violence situations, the consequences can be far more serious than fraud alone.

What Security Leaders Should Do

Under Network and Information Systems Directive 2 (NIS2) expectations, Dutch regulators are no longer tolerant of security failures, nor are customers. So what should you do in the wake of this breach?

  • Deploy phishing-resistant MFA when compromise is existential. This incident is another reminder that traditional MFA methods such as one-time passcodes are increasingly vulnerable.  Accelerate deployment of phishing-resistant MFA such as FIDO2 hardware keys or device-bound passkeys across workforce identities and privileged access to significantly reduce the risk of identity-based compromise.
  • Re-examine role-based access to sensitive data. If a single account can see millions of identity records, the architecture is the risk. Apply least privilege, utilize Just-In-Time role assignment and conditional access policies, enforce data minimization in CRM and support platforms, and set retrieval limits to contain blast radius. Ensure IAM and SecOps teams are closely coordinated and applying real-time risk signals to facilitate rapid detection and response.
  • Treat human-related breaches holistically. Training alone won’t stop human-element breaches; even the most vigilant employee can fall for a phishing lure. Similarly, technology will not solve all your problems. Strike the balance, combining email, messaging and collaboration security, phishing-resistant multifactor authentication, training and processes such as callback protocols for any MFA approval or access request initiated by phone. Use Human Risk Management (HRM) solutions to boost your security controls.
  • Eliminate retained data that only exists to hurt you later. Establish and enforce data retention policies that align with regulatory requirements — and build a culture of eliminating ROT (Redundant, Obsolete, Trivial data). Audit your data practices against what your privacy statements promise. Retention gaps accumulate quietly over years, and regulators rarely accept convenience as justification for data you no longer have legal basis to hold. Delete what you no longer need and establish systematic policies to enforce this over time..
  • Reclassify your CRM. If it holds more than 100,000 customer records, treat it as Tier-1 infrastructure with the access controls, monitoring, and hardening standards that come with that designation.
  • Audit your configuration against the vendor’s own security baseline. What the vendor enables by default and what they recommend are rarely the same thing. Field-level security, encrypted fields, login IP restrictions, MFA enforcement at the org level, and anomaly alerting are the starting point.

Let’s Connect
To discuss our recommendations further, reach out to schedule a guidance session.