The recent data breach at Odido has had a major impact. For millions of customers and (former) customers it is a drastic event: personal data that you share in confidence suddenly appears to have ended up in the wrong hands. This creates uncertainty, worries about misuse and the feeling of loss of control over your own data. It is also an extremely unpleasant situation for Odido itself, with reputational damage, extra pressure on employees and intensive follow-up with clients and regulators.
It is important to name that explicitly. These kinds of incidents affect people and organizations deeply. That is precisely why it is valuable to look beyond questions of blame to see what we can learn from this.
In this blog, we analyze what this incident teaches us about governance and compliance, what fundamental questions it raises about data management and access rights, and what organizations can already do today to structurally reduce their risks.
Based on reliable reporting, it appears that:
The data included names, addresses, phone numbers, customer numbers, account numbers, sensitive notes and identity information. Driving licenses, passports and even residence papers of diplomats have also been captured, according to recent reports. About 6.2 million accounts have been mentioned.
In addition, discussion arose about retention periods. Former customers from five to 10 years ago received notice that their data may have been captured, while the privacy statement states that contract data are retained for a maximum of two years after the end of the contract (with exceptions for legal obligations). The investigation is ongoing, but governance issues obviously raise many questions.
With major data breaches, the initial focus is almost always on the question: how did they get in? But just as important is the question: what were the attackers able to do after they got in? After all, a successful phishing email does not have to produce millions of records in all cases. That only happens if the internal setup allows it.
When an employee account allows access to a system where full identity data is visible, it’s not just about security, but about how data is fundamentally organized. Especially when it comes to data such as passport numbers or bank account information. That kind of data should only be accessible to functions that strictly need it, and even then preferably minimized or masked.
When a system contains not only current data but also historical data many years old, and sensitive identity data is not logically separated from regular customer information, there is a bigger problem than just getting in. The real vulnerability then lies in how data is stored, classified and accessed. An attack can open the door, but the internal design determines how much can then be taken. Governance is thus not just a layer of protection on the outside, but primarily a mechanism to limit the damage on the inside.
That cannot be definitively determined at this time. Investigations are ongoing and it is up to the regulator to judge whether the AVG has been violated. Odido’s privacy statement does state that contract data will be retained for up to two years after termination, with exceptions such as tax obligations (up to seven years) or specific credit constructions.
At the same time, former customers from five to 10 years ago also received notice of possible exposure of their data. This seems to indicate that some data may have been retained longer than the standard period from their own policies. Whether that actually violates the AVG depends on the exact context, outstanding liabilities and the purpose for which the data was still retained.
A data breach does not automatically mean that laws have been broken. But if governance in practice deviates from what is written on paper, a legal risk does arise.
A data breach is rarely just a technical incident. It affects multiple layers of an organization:
Trust is fragile. Especially when sensitive data such as bank account numbers or identity information is involved. Customers expect their data to be secure. When that trust wavers, you don’t just fix it.
The Personal Data Authority can investigate whether the AVG has been complied with. If it is found that security or data management was inadequate, enforcement action may follow.
When major data breaches occur, we increasingly see parties preparing claims for damages. Liability is legally complex, but the risk of litigation is real.
A data breach creates enormous pressure on support, IT, legal teams and communications departments. At the same time, internal turmoil often ensues. Employees feel addressed, sometimes even personally responsible.
When cybercriminals threaten to publish stolen data on the dark web, it creates long-term uncertainty. In this case, there is a threat of disclosure if payment is not made. This puts an organization in an extremely difficult position. Even if a ransom is demanded and paid, there is never complete certainty that data will actually be removed or not still be resold or published. Criminals operate outside any legal framework. Paying offers no guarantee.
No one is immune to cyber attacks. That’s the reality. Attackers are getting smarter, phishing emails more convincing and social engineering more sophisticated. Even organizations with comprehensive security measures can become targets.
But what we often see in major incidents is that the real damage comes not just from getting in, but from what is available afterwards. Many escalations become larger than necessary because basic principles of governance are not structurally in place or technically enforced. Therein lies the difference between an incident and a crisis.
The first step is to take a critical look at what personal data you, as an organization, actually need for your services. Data minimization means not collecting or storing more data than is necessary for the purpose for which it is intended. After all, each additional data set increases the risk in the event of an incident.
The more sensitive data you process and store by default, the greater the potential impact when something goes wrong. By critically determining which data is really necessary for your services and which is not, you structurally limit your risk profile.
Advice: Map out which personal data you process, test the purpose and necessity of each piece of data and remove or anonymize what is not strictly necessary. What you do not collect or store cannot be leaked.
At least as important as restricting access is looking critically at how long data is kept. Under the AVG, the principle of storage limitation applies: personal data may not be kept longer than necessary for the purpose for which it was collected. Data that no longer serves a functional or legal purpose is especially at risk.
In practice, we often see that data remains “just in case,” or because systems are not properly set up to automatically clean up. This is precisely where vulnerability arises. The longer historical data remains available, the greater the potential impact when someone gains access to a system.
Advice: Make sure retention periods are not just in policy or a privacy statement, but technically enforced. Work with automated retention policies, perform periodic checks on old data sets and set up clear lifecycle processes. What is deleted or anonymized in a timely manner also cannot be captured.
Even if you have critically determined what data you are processing, the question remains: who is allowed to access it next? Access to personal data should always be based on function and necessity. The more broadly access rights are set up, the greater the impact when an account is misused.
In many daily customer contacts, for example, name, customer number and contract information are sufficient to handle a query or make a change. Full passport numbers or complete IBANs are rarely necessary in most operational processes. That means these data do not need to be visible or accessible by default to all employees within a department.
Recommendation: Set up access rights based on function and need, and evaluate them regularly. Ensure that employees have access only to the information they need to perform their jobs. When an account is misused, the impact should be limited to a defined portion of the data, not the entire customer base.
No matter how well designed systems are, ultimately people work with them. And social engineering in particular focuses on that human side. Attackers play on trust, urgency and authority. This means that even well-trained employees can make a mistake under pressure. This is not an individual failure, but a reality that you must take into account as an organization.
Awareness is therefore not an afterthought, but a structural part of governance. Employees must understand why certain security measures exist, the risks involved and their role in them. Certainly positions with access to sensitive systems deserve extra attention.
Advice: Invest in training and awareness programs, conduct phishing simulations, for example, and provide clear and accessible reporting procedures. Make security negotiable, without a blame culture. When employees feel both aware and supported, you reduce the chances of an attack succeeding and increase the chances of an incident being recognized and mitigated quickly.
Many organizations assume that governance and compliance are in place. Policies are in place, security measures are in place, and work is being done in accordance with the AVG. It may be true on paper, but in practice it must also be demonstrably working. Are retention periods actually technically enforced? Are access rights really based on necessity? Is sensitive information logically separated and with limited visibility? It is precisely on these points that risks often arise unnoticed.
A data breach rarely occurs because of one big mistake. Usually it is a sum of small vulnerabilities in access, retention periods and setup. Want to know if your organization is at risk? With a Governance & Compliance Scan we clearly map out where you stand, where possible risks are and what concrete steps you can take to limit the impact of an incident.
Schedule a scan and get a grip before an incident forces you to react after the fact!
