Earlier this month, Dutch telecom giant Odido revealed a major data breach affecting millions of customers.

The headlines focus on what data was exposed. But the more important question is: what does this teach us about security and data protection?

What Happened?

During the weekend of February 7- 8, 2026, attackers accessed Odido’s customer contact database. Services were not disrupted, but personal data such as names, addresses, phone numbers, and bank account numbers were exposed. Passwords and call logs were reportedly not affected.

How Did Hackers Get In – and What Does That Tell Us?

The attackers reportedly used phishing emails and phone calls, pretending to be IT support. They got in even though multi-factor authentication (MFA) was in place.

This teaches us several important lessons about security, in plain terms:

• MFA alone is not enough. Attackers can use MFA fatigue (repeatedly sending approval requests until someone clicks “approve”) or trick staff into resetting security settings. Strong, phishing-resistant MFA is better than simple SMS codes or push notifications.
  
  
• IAM (Identity & Access Management) matters. How a company controls who can log in and what they can do is key. One compromised account shouldn’t have access to all customer data.
  
  
• Privilege levels should be limited. Employees should only see the data they need for their job. This “least privilege” approach reduces risk if an account is stolen.
  
  
• Monitoring is critical. Systems should watch for unusual activity, like accessing large datasets, exporting lots of records, or logging in at odd hours, and alert security teams immediately.
  

In short, this breach shows that it’s not just about MFA or passwords. It’s about how identities are managed, how privileges are set, and how quickly suspicious behavior is detected.

What About Data Retention?

Some affected people reportedly left Odido years ago. The company has said it keeps data for two years, but the breach suggests older data may still have existed.

Under the General Data Protection Regulation (GDPR), companies must:

• Keep personal data only as long as necessary
  
  
• Clearly define retention periods
  
  
• Delete data when it is no longer needed
  

Keeping unnecessary data increases risk.

You can’t leak data you don’t store.

The Bigger Lesson

This breach was not just a human error issue. It shows that security depends on:

• Strong and phishing-resistant MFA
  
  
• Strict access control (least privilege)
  
  
• Fast detection of unusual activity
  
  
• Clear and enforced data retention rules
  

The key question for any company is simple: If one employee account is compromised, how much data can it really access?

That answer determines whether an incident stays small… or becomes national news.