March 26th, 2026

Odido data breach: a wake up call for every organisation.

Last week it emerged that telecom provider Odido had been hit by a major data breach. Attackers gained access to a file containing customer details linked to some 6.2 million accounts. The incident shows just how vulnerable an organisation becomes when a central customer system is compromised and how far reaching the consequences can be.

This was not limited to basic details such as usernames or passwords. The data involved was far more sensitive identity information, including:

 

  • Full name
  • Address and town or city
  • Identification details such as passport or driving licence number and validity
  • IBAN bank account number
  • Date of birth
  • Telephone number
  • Email address
  • Customer number

What does this mean in practice.

A breach on this scale is more than an alarming headline. It has direct consequences on two levels: for customers and for organisations that are, whether knowingly or not, dependent on Odido.

Identity fraud becomes easier.

For customers, the immediate risk is that their personal data may now be used for fraud. With a name, address, date of birth and ID details, it is often possible to get surprisingly far in many processes, particularly when combined with an IBAN for credible looking phishing attempts.

Phishing and social engineering become more convincing.

The risk in communications increases as well. Attackers now know exactly how to sound legitimate. Odido itself has warned customers about suspicious text messages and emails. Criminals can send messages along the lines of: “Dear customer, we have identified an issue with your bank account ending in …” and make them appear authentic.

Supply chain impact.

It does not stop with customers. Odido is embedded in critical processes at other organisations, from multi factor authentication via text message to service desks and crisis communications. The real question becomes: which processing activities within your organisation rely on Odido services, directly or indirectly?

And that leads to the core governance question for 2026:

 

Not “are we secure?”, but do we truly understand, for each processing activity, which data, systems, suppliers and safeguards come together and what happens if one link in that chain fails?

The pattern behind this week’s incidents.

Data breaches and hacks are structurally present in the news. But anyone who followed the reporting of the past week could hardly avoid one conclusion: every organisation, public or private, large or small, can face a data breach.

1. Even regulators and the courts are vulnerable.

It may feel contradictory, but organisations that supervise privacy and legal protection can also be affected. At the Autoriteit Persoonsgegevens and the Raad voor de Rechtspraak, work-related personal data of employees was accessed through abuse of a vulnerability in Ivanti Endpoint Manager Mobile (EPMM).

 

This concerned data such as name, business email address and telephone number, and possibly also other organisations that use the same software.

 

What lesson can we draw from this?

 

Even organisations that supervise privacy can be affected by chain risk in their own tooling.

 

The question “where does our mobile device management solution run, which data is in it and which mitigations have we agreed?” is not a technical detail but a governance question.

2. European institutions and the Winter Games under pressure.

The European Commission also reported a hack on its central mobile device management platform. Limited personal data of employees (names and telephone numbers) was accessed; the attack was contained within a few hours.

 

Around the Winter Games in Milan-Cortina, cyberattacks with presumed Russian origin on Olympic websites, hotels and government portals were detected and repelled.

 

What lesson can we draw from this?

 

Cyberattacks have become part of geopolitics and reputational risk.

 

Incidents are often not an isolated “IT problem”, but affect trust in institutions.

3. Third parties and suppliers as the weakest link.

Flickr confirmed a data breach via an external email service provider: names, email addresses, IP addresses, and location information of users could be accessed.

 

Together with the Ivanti vulnerabilities and the Odido case, a consistent picture emerges:

 

Many incidents arise outside your own primary systems, at suppliers or in shared platforms.

 

The impact is great because those suppliers serve multiple customers and are often deeply integrated into processes.

Why traditional DPIAs and standalone vendor questionnaires are no longer enough.

On paper most organisations have their affairs in order. DPIAs have been carried out, there is a processing register and suppliers have been assessed via vendor assessments.

 

Yet practice shows something different.

 

The common thread? The information is there, but not in cohesion.

 

  • Information is spread across Excel, SharePoint and separate tools;
  • DPIAs describe risks at a high level, but not concretely per application and per supplier which measures have actually been implemented.
  • Vendor assessments exist alongside security and privacy processes, instead of being an integral part of them.

 

That seems manageable, until the moment an incident occurs. In an incident such as that at Odido you want to be able to answer within a few hours:

Which processing activities are we affected in?.

All processes in which Odido (or another affected supplier) plays a role: customer communication, 2FA, service desk, etc.

2. Which data of which data subjects has been affected?.

Not only “customer data”, but concretely: which categories of personal data are involved? In which countries are data subjects located? Are vulnerable groups involved?

3. Which measures were already in place and where are the gaps?.

Per processing activity and per application:

  • security measures, such as encryption, logging, access management;
  • contractual measures, such as data processing agreements, data localisation, sub-processors;
  • organisational measures (procedures, awareness programmes and escalation routes).

 

If that overview is missing, you not only run more risk, you also lose valuable time towards the supervisory authority, customers and employees.

How GRCPerfect makes this concrete.

Within GRCPerfect we connect three worlds that in many organisations still stand apart.

Vendor Risk Management (Third Party Risk)

DPIA & processing register

Information security measures per application / system

1. Vendor Risk Management: from questionnaire to chain insight.

Supplier management does not stop at a completed questionnaire. With our Vendor Risk / Third Party Risk functionality you can:

 

  • record per supplier which systems and processing activities they support;
  • centrally manage risk profiles, contractual agreements and audit evidence;
  • link to privacy, security and AI risks in the same governance model.

In a scenario such as Odido you immediately see:

 

“This supplier affects 7 processing activities, 3 applications and 2 countries. These are the contractual agreements and these are the existing mitigating measures.”

2. DPIA and processing register: measures per processing activity and per application.

The DPIA functionality and the processing register in GRCPerfect, via the integrated privacy domain, make it possible not only to record information, but also to connect it directly.

 

Per processing activity you record what happens and why, including:

 

  • purposes and legal basis;
  • data subjects and data categories;
  • the applications and suppliers used.

 

In addition, per application or system you record which measures actually apply, such as:

  • technical security measures (for example encryption, logging and access management);
  • organisational measures (policy, processes, roles and training);
  • contractual measures (data processing agreement, sub-processors and audit rights).

 

The result is one consistent and up-to-date picture of risks and control, instead of separate DPIA reports per project.

3. Security, privacy and chain risk in one governance platform.

From 2026 GRCPerfect is positioned as an integral governance platform in which privacy , security , third-party risk and AI governance come together.

That means:

  • shared risk models across domains;
  • reuse of controls and evidence between DPIAs, vendor assessments and security audits;
  • reports that give directors insight into chain risks in one go, instead of stacks of separate reports.

What you can still do this week.

Apart from tooling, there are three practical steps you can already take now to gain more control.

Create a top 10 of critical suppliers.

Map for your most important suppliers:

 

  • which processing activities and applications they affect;
  • which data (and in which countries) is involved;
  • whether DPIA, data processing agreement and security measures actually align.

Link incident response to governance information.

Ensure that in the event of a data breach you do not have to inventory again:

 

  • which processing activities are affected;
  • which data subjects and categories of personal data are involved;
  • which measures you can demonstrate towards the Autoriteit Persoonsgegevens and data subjects.

Test your DPIA approach for actuality and depth.

Look critically at your DPIAs: are they snapshots that disappear into a folder, or do they move along with changes in systems, suppliers and data flows?

From incident to integrated governance.

The incidents of this week, and the scale of the Odido hack in particular, make one thing clear: separate compliance activities are no longer enough. Data breaches are long no longer assessed only on impact, but on a much sharper question:

 

Could this organisation demonstrate that its governance was demonstrably in order?

 

With GRCPerfect you can:

 

  • connect vendor risk management, DPIAs and security measures per processing activity and per application;
  • make chain risks visible before an incident occurs;
  • respond faster, more completely and better substantiated in the event of a data breach.

Turn insight into control.

Curious how you can bring together processing activities, suppliers and measures in one integrated model and how our Vendor Risk and DPIA functionalities help with this?

 

Then this is the moment to open the conversation and recalibrate your governance landscape.

 

Book a call with our team and explore how your governance can move from fragmented to fully integrated.