Odido CRM Data Breach Exposes 6.2M Customer Records

A major Dutch telecom provider is warning customers after a cyberattack exposed personal data tied to millions of accounts. 

Odido Telecom confirmed that attackers gained unauthorized access to its customer database, impacting roughly 6.2 million customers. 

“This involved personal data from a customer contact system used by Odido. No passwords, call logs, or billing information were affected,” said the company in its notice.

What Data Was Exposed in the Odido Incident

Odido provides mobile, internet, and television services to both consumers and businesses across the Netherlands.

Attackers accessed Odido’s CRM system and downloaded customer data before the activity was detected and blocked. 

Following the discovery, Odido notified regulators and began directly alerting affected customers.

The company said the intrusion was limited to systems used for customer contact and account management, rather than core telecommunications infrastructure. 

While this prevented service disruptions, the CRM environment contained a significant volume of sensitive personal information. 

Exposed data potentially includes names, home addresses, mobile phone numbers, customer account numbers, email addresses, IBAN bank account numbers, dates of birth, and government-issued identification details such as passport or driver’s license numbers. 

Odido stressed that passwords for the My Odido customer portal, call and messaging records, real-time location data, invoice details, and scanned copies of identity documents were not exposed.

At the time of publication, the company does not report any of the data being leaked in cybercrime marketplaces.

How Organizations Can Reduce Risk

This incident illustrates how customer data can be exposed and why a structured response matters after a breach. 

Although no single control is sufficient on its own, layered mitigations can reduce both short and long-term risk.

• Block unauthorized access quickly, engage external cybersecurity investigators, and report incidents to regulators within required timelines to limit exposure and maintain compliance.
• Reduce breach impact through data minimization, shorter retention periods, and isolation or tokenization of high-risk customer identifiers.
• Enforce least-privilege and just-in-time access controls for CRM and customer support systems, including approvals for bulk data exports.
• Monitor for anomalous data access patterns such as unusual query volume, large exports, or off-hours activity, not just suspicious logins.
• Segment CRM platforms from billing, identity, and other sensitive systems to restrict lateral movement and limit blast radius.
• Provide security awareness training on phishing and social engineering.
• Regularly test and update incident response plans through tabletop exercises and simulations that include data-theft scenarios, customer notification workflows, and regulatory reporting requirements.

Together, these measures help organizations limit blast radius during a breach while building the operational resilience needed to detect incidents faster, contain them more effectively, and recover with less disruption. 

The case illustrates how CRM breaches can introduce downstream risk even without service disruption, reinforcing the need for controls that limit blast radius and support effective detection and recovery. 

To reduce blast radius and better control data access, organizations are adopting zero-trust solutions that continuously verify users, devices, and access requests.