The Odido data breach: Key legal and compliance insights

In February 2026, Odido, the largest mobile phone company in the Netherlands, suffered a large-scale cyber breach when attackers gained access to its customer systems and exposed sensitive data tied to over six million accounts. The breach may result in Odido having to defend itself in court, as two Dutch privacy organisations have joined forces and announced this week that they intend to bring a class action lawsuit on behalf of the affected customers.

The incident sits at the intersection of the GDPR, the NIS2 Directive and local legislation such as the Dutch Telecommunications Act and illustrates a trend reshaping the European threat landscape: even where perimeter defences are technically robust, attackers are succeeding by targeting the human layer. For telecoms operators and other data‑intensive organisations, the Odido breach offers clear legal and compliance lessons. 

Nature and facts of the data breach

Initial investigations indicate that the breach involved social engineering combined with targeted phishing. The attackers reportedly used impersonation to defeat multi-factor authentication and gain legitimate system access, followed by automated scraping and downloading of personal data on millions of accounts from Odido’s CRM platform. 

This pattern reflects a wider shift away from purely technical exploits toward attacks that exploit human behaviour, internal processes and access governance. Although network integrity and service continuity were maintained, significant obligations under EU data protection law were triggered.

Odido’s response

We understand that Odido reported the incident to the AP and began alerting affected customers as quickly as possible once the breach was confirmed. Odido decided not to engage in negotiations with the attackers or submit to their attempts at blackmail, following advice from the Dutch Police, who publicly stated that paying a ransom could finance future attacks and offered no guarantee that attackers would delete the data.

From a compliance perspective, this response reflects current best practice, particularly given the legal complexities surrounding ransom payments and sanctions exposure.

Regulatory investigation 

On 26 March the AP announced a formal investigation into the incident, working closely with the Dutch Authority for Digital Infrastructure (Rijksinspectie Digitale Infrastructuur, RDI). The RDI is leading the assessment of technical security measures, applying the under the Dutch Telecommunications Act and related rules on the safety and integrity of telecommunications, while the AP is examining the adequacy of personal data measures within those systems, including on the basis of complaints from affected (former) Odido customers. 

Key takeaways

The following key takeaways can be derived from the Odido data breach:

1. Breach notification requires preparation, not just speed:

   Under Article 33 GDPR, controllers must notify the competent supervisory authority of a personal data breach within 72 hours of becoming aware of it, unless the breach is unlikely to result in a risk to individuals. Where a breach is likely to result in a high risk to individuals’ rights and freedoms, Article 34 requires direct notification to affected data subjects without undue delay.

   Timeliness is critical, but so is quality. Poorly drafted or delayed communications can erode trust, prompt complaints to regulators, and increase exposure to civil claims such as the one currently being prepared against Odido. Organisations should ensure that breach notification protocols are operational before an incident occurs, with clearly defined roles, pre‑approved templates for regulatory and customer communications, and a structured process for assessing whether the Article 34 threshold is met.

2. Data governance, staff training and CRM controls are central:

   Incidents involving data relating to former customers highlight the importance of the GDPR data minimisation and storage limitation principles. Organisations should maintain a documented and enforceable data retention policy covering retention periods, legal basis, and systematic deletion or anonymisation. 

   Equally, Article 32 GDPR and the NIS2 Directive require appropriate technical and organisational measures. European regulators increasingly treat deficiencies in staff training, phishing awareness and access governance (aspects of the human lawyer) as failures of organisational security CRM systems, which aggregate large volumes of personal data combining names, IBANs, identity document numbers and contact details, should be treated as high-risk processing environments, often requiring making a Data Protection Impact Assessment under Article 35. 

   Failure to carry out a required Data Protection Impact Assessment is itself an infringement attracting fines of up to EUR 10 million or 2% of total worldwide annual turnover.

3. Ransom payments raise multiple legal considerations: 

   Ransom payments engage sanctions, criminal law, insurance and regulatory considerations. At EU level, Council Regulation (EU) 2019/796 prohibits making funds available to designated persons and entities involved in cyber‑attacks threatening the Union. In practice, attribution during an incident is difficult, and attackers often operate through intermediaries or multiple aliases.

   National laws may also require notification to authorities or authorisation before any payment is made. Cyber insurance policies further complicate matters, as coverage may be excluded if a payment breaches sanctions law. Organisations should establish a pre‑incident ransom policy, informed by legal advice and aligned with national law‑enforcement guidance, rather than making decisions for the first time during a live incident.

4. NIS2 compliance is now a baseline obligation: 

   The NIS2 Directive applies directly to essential entities in the telecommunications sector and imposes obligations relating to risk management, supply chain security, access control and incident reporting, with fines of up to EUR 10 million or 2% of global annual turnover. In the Netherlands, NIS2 is being implemented through the Dutch Cyber Security Act (Cyberbeveiligingswet or Cbw), which will designate telecoms operators as essential entities and impose obligations regarding risk management, incident notification to the RDI and where personal data are involved, the AP. Dutch telecoms operators should be aware that national legislation may go beyond the NIS2 minimum harmonisation floor.

   As a result, telecoms operators must treat compliance with NIS2 and its national transposition as a minimum baseline: conducting regular risk assessments, implementing multi-factor authentication robustly (including verification that it cannot be defeated through social engineering), restricting privileged access to CRM and similar systems, and testing incident response plans.

Lessons for the sector 

The Odido breach reflects a persistent challenge in telecoms security given the most highly sensitive personal identifiers operators handle, from contact details and birth dates to bank account numbers and government ID information. Regulators will expect organisations not merely to respond to their own incidents, but to demonstrate that they have learned from sector-wide patterns. 

A key emerging issue is the aftercare provided by breached entities to affected individuals. In the Netherlands, recent data breach incidents have been referenced in parliamentary discussions on cybersecurity legislation, including proposals to explore statutory aftercare obligations. While GDPR Article 34 requires notification, it does not mandate ongoing support. Future obligations could require credit monitoring, identity protection services or extended customer support.

Legal and compliance teams should prepare by considering what forms of aftercare could of support that could realistically be offered at scale, pre-qualifying third-party providers for credit monitoring and identity theft protection, and factoring these costs into incident response planning.

What’s next?

For (telecoms) legal and compliance teams the takeaway is clear: treat this incident as an action list. Test your notification protocol, stress-test your multi-factor authentication and CRM controls, document your ransom policy, and plan for enhanced aftercare. 

Our team has extensive experience advising telecommunications operators and technology companies on these issues. If you would like to discuss a tailored action plan for your organisation, please get in touch.

Read more: Our updated Cyber Handbook – Claude Mythos and other AI threats