Odido Refuses to Compensate 6.2M Breach Victims After ShinyHunters Attack

The Netherlands' largest mobile network operator just told 6.2 million breach-affected customers they get nothing — while Dutch prosecutors investigate whether Odido kept their data longer than GDPR allowed. The position will be tested in court within months.

AMSTERDAM, NETHERLANDS — Odido CEO Søren Abildgaard confirmed via De Telegraaf interview on May 12, 2026 that the Dutch mobile network operator will not offer compensation to customers affected by the February 2026 cyberattack that exposed personal data of approximately 6.2 million accounts — roughly one-third of the Netherlands' population. Abildgaard's position: there is no evidence Odido breached any regulations, and "criminals should not be rewarded for illegal activities," confirming the company refused to pay the ShinyHunters ransom. The hacker group then published all stolen customer data online.

The data exposed is exactly the credentials needed for downstream identity fraud at scale: names, addresses, phone numbers, email addresses, dates of birth, bank account numbers (IBANs), and government ID document details — passport and driver's license numbers with validity dates. Cybernews has documented that the stolen data has been used for criminal activities including phishing. The breach pattern mirrors the broader ShinyHunters Salesforce-targeting campaign — Odido's customer contact system (CRM) was the compromised vector, and Salesforce reportedly warned the company about system security before the breach.

The position Abildgaard staked out and what it will be tested against

Abildgaard's De Telegraaf interview makes four arguments worth pulling apart. First, there is no evidence Odido breached any regulations — a position the Dutch Public Prosecution Service is actively investigating. Second, criminals should not be rewarded for illegal activities — the principled-refusal-to-pay framing the broader ransomware ecosystem has been pushing toward for years. Third, this was "not an ordinary attack" — implicitly arguing the ShinyHunters intrusion was sophisticated enough that reasonable security measures would not have prevented it. Fourth, Odido is continuously strengthening cybersecurity defences — the standard post-incident remediation language. The principled-refusal position aligns with what defenders generally argue is the right ecosystem-level posture: every refusal raises the operational cost of the campaign and degrades the unit economics of mass extortion.

What Abildgaard's position will be tested against is the Dutch Public Prosecution Service investigation now examining whether Odido retained personal data longer than permitted under GDPR. NOS reported on February 17 that Odido may have retained former-customer data beyond its stated 2-year period — and the breach demonstrably affected former customers who had left the company five to ten years earlier. If the criminal investigation concludes Odido violated GDPR's storage limitation principle, the company's "no evidence of any regulatory breach" position collapses, and the no-compensation position with it.

Three regulatory tracks running in parallel

The Odido case has three regulatory and legal tracks operating concurrently. The first is the Dutch Public Prosecution Service criminal investigation into data retention. The second is Autoriteit Persoonsgegevens, the Dutch data protection authority, which is monitoring the case and has told the public that additional individual complaints are not necessary — meaning the regulator is collecting evidence on its own initiative. The third is the class action being assembled by Consumers United in Court (CUIC), a Dutch consumer organization founded by Privacy First (Netherlands) and noyb (Austria). CUIC had registered approximately 350,000 customers by late April. The class action's specific arguments mirror the criminal investigation: too much data stored for too long, stored information not properly protected, insufficient transparency, failed reporting obligations. CUIC is also questioning Odido's response to warnings from Salesforce regarding system security.

The combined exposure pattern — criminal investigation, regulatory monitoring, class action — is the European version of the federal-plus-state combination defenders saw California pursue against GM over OnStar driver data earlier this month, and the UK ICO pursue against South Staffordshire Water with a near-£1-million fine. The three jurisdictions are independently converging on the same baseline: data retention and minimization are now actively enforced compliance questions, and "we refused to pay the criminals" is not by itself a defense against the regulatory consequences of holding data you shouldn't have held.

Why the CRM attack vector matters more than the headline number

The 6.2 million account figure is the headline, but the operational lesson for defenders is the CRM attack vector. Odido's customer contact system was compromised — not operational telecom systems (phone, internet, TV). The pattern is consistent with the broader ShinyHunters Salesforce-targeting campaign that has hit, among others, ADT, Carnival Cruise Line, Rockstar Games, McGraw Hill, 7-Eleven, Vimeo, Medtronic, Cushman & Wakefield, and Instructure (Canvas), which just paid a ransom on behalf of 8,809 affected schools. CRM systems concentrate exactly the data that fuels downstream identity fraud — and they are typically protected by less mature security architectures than core operational systems because they sit on the customer-facing rather than service-delivery side of the house. Salesforce reportedly warned Odido about system security; the breach happened anyway.

The broader European telecom breach context matters too. AT&T's 176 million enriched records are still circulating. T-Mobile settled $31.5 million with the FCC in January 2025. SK Telecom in South Korea reported a 90 percent drop in Q3 operating profit after a breach affecting 27 million customers. Free SAS / Free Mobile in France took a $42 million fine over 24 million subscribers. Optus Australia exposed 10 million customers in 2022. The telecom CRM is now the year's most consistently breached high-value data store across continents. Defender priority should reflect that.

The CyberSignal Analysis

Signal 01 — Principled ransom refusal is a defensible position but does not insulate against data-retention enforcement

Odido's CEO is making the right ecosystem-level argument when he says criminals should not be rewarded. The challenge is that the Dutch criminal investigation is not asking whether Odido was right to refuse the ransom — it is asking whether Odido held the breached data longer than GDPR permits. Those are two separate questions with two separate accountability frameworks. CISOs and General Counsel at organizations weighing the ransom-payment decision should pre-script both questions independently. "We refused to pay" and "we held the data appropriately" need to be true together for the no-compensation position to survive regulatory scrutiny. If only one is true, the other becomes the load-bearing question and the regulatory consequences land on it.

Signal 02 — CRM systems are now the year's most consistently breached data store, and Salesforce warnings are evidence of foreseeability

The pattern across Cushman, Canvas, ADT, Odido, and the broader ShinyHunters victim list is now identifiable enough that CRM compromise should be treated as a baseline 2026 attack scenario, not an edge case. The specific Salesforce-warned-the-vendor detail in the Odido case matters legally: if a vendor has been warned by the platform provider about specific security concerns and a breach occurs through that concern, the warning becomes documented evidence in regulatory and class-action proceedings. Audit your Salesforce / customer contact system security posture this week. Document vendor warnings and your remediation timeline. The next breach in this pattern will be measured against whether the victim acted on warnings or not.

What to do this week

1. Audit your data retention practices for former customers specifically. The Odido case is operational evidence that retaining former-customer data 5-10 years beyond the customer relationship is now an active enforcement question under GDPR Article 5(e). Document your retention rationale or plan deletion.
2. Treat CRM as a top-tier attack surface. Implement detection for bulk-export queries, anomalous high-volume customer record retrievals, and vendor-API token abuse. Audit Salesforce security configurations against current vendor guidance. Document warnings received from the platform vendor and your remediation timeline.
3. Pre-script your "refused ransom plus refused compensation" scenario. Document the regulatory exposure under GDPR, the class-action exposure under member-state consumer protection law, and the criminal investigation exposure under data-protection statutes. The Odido CEO's position is being tested in court within months; your equivalent position should be pre-stress-tested before incident.
4. For European organizations specifically: engage your DPO for a GDPR Article 5(e) storage limitation compliance review. The Dutch case is the active enforcement template; the Autoriteit Persoonsgegevens posture suggests the regulator is collecting evidence proactively rather than waiting for complaints.
5. Brief boards on the three-track regulatory pattern: criminal investigation, regulatory enforcement, class-action litigation. Each operates independently with independent timelines and outcomes. Cyber insurance coverage should be assessed against all three exposures, not just the breach response cost.

Sources