The Odido data breach and the cost of centralized identity storage
← Back to Knowledge Base

The Odido data breach and the cost of centralized identity storage

Yivi Team 8 min read
data breach privacy security decentralized Odido telecom identity verification cyber security regulation

It’s the largest data breach in Dutch history. In early March 2026, the hacker group ShinyHunters published the complete dataset of stolen Odido customer data online after the telecom company refused to pay ransom. The result: personal data of 6.5 million Dutch citizens and 600,000 companies are now publicly available on the dark web.

This data breach raises fundamental questions about how Dutch society handles identity verification and data storage. While security at Odido fell short, the situation is more complex than “Odido did it wrong.” The reality is that telecom companies are legally required to collect and retain extensive customer data.

What happened at Odido

Between February 7 and 8, 2026, hackers from ShinyHunters — known for previous attacks on Ticketmaster and Microsoft — used a classic but effective social engineering attack. They sent phishing emails to customer service employees, stole passwords, and then called these employees while impersonating Odido IT staff. By tricking these employees into approving a secondary login request (2FA), the hackers gained access to Odido’s Salesforce system.

For 48 hours, they were able to scrape the database undetected. The result is devastating:

  • More than 5 million unique identification documents: driver’s licenses, passports, residence permits
  • Complete personal data: names, addresses, dates of birth
  • Financial information: bank account numbers
  • Sensitive notes: internal notes about customers, including information about stalking, domestic violence, and protected addresses of victims

When Odido refused to pay the ransom of €500,000 — a decision made on the advice of police and cybersecurity specialists — ShinyHunters published the complete dataset online on March 1, 2026.

It’s easy to criticize Odido for retaining so much sensitive data. But the reality is more nuanced. Telecom companies in the Netherlands operate under strict legal obligations.

The Telecommunications Act and law enforcement powers

Under the Telecommunications Act (Telecommunicatiewet) and related regulations, telecom providers are required to:

  • Perform customer identification: When signing up for a subscription, the customer’s identity must be verified with a valid identity document.
  • Keep data available for law enforcement: Police and judicial authorities can request customer data based on legal powers. Telecom companies must be able to provide this data.
  • Link personal details to phone numbers: For combating crime and terrorism, it’s essential that a phone number can be traced back to a person.

These obligations exist for good reasons. They help in tracking down criminals, locating missing persons, and investigating serious crimes. The societal value is real.

The dilemma of centralized storage

Here’s where the dilemma emerges: the same data that’s useful for legitimate law enforcement purposes also becomes a target for criminals. If the law requires that Odido can prove who customer X is, then that information must be stored somewhere. And everything that’s stored can be stolen.

This isn’t the failure of one company — it’s a fundamental tension in how we as a society have organized identity verification. We’ve created a system where thousands of organizations function as custodians of sensitive identity data. Every organization is a potential target.

The attack: why 2FA wasn’t enough

An important detail in the Odido hack deserves attention: the hackers bypassed two-factor authentication (2FA) by calling employees and tricking them into approving a secondary login request.

This illustrates a fundamental weakness of traditional 2FA systems. Whether it’s SMS codes, authenticator apps, or push notifications — they’re all vulnerable to social engineering. An employee who receives a call from “IT” asking them to “just approve that login request” can, in a moment of inattention, grant access to an attacker.

This isn’t criticism of individual employees. People aren’t robots, and social engineering attacks are becoming increasingly sophisticated. The problem lies in the system: as long as authentication depends on codes or approvals that can be intercepted or coerced, this risk remains.

A different approach: decentralized identity

This brings us to a fundamentally different way of thinking about identity verification. What if the data needed for verification wasn’t stored centrally at thousands of companies, but remained with the citizen?

This is the principle behind decentralized identity systems like Yivi. Instead of a company storing a copy of your passport, the user themselves proves — via cryptographically signed attributes on their own phone — that they are who they claim to be.

How does this work in practice?

In a decentralized system:

  1. The user has attributes (name, date of birth, BSN, etc.) on their own phone, cryptographically signed by a trusted source (municipality, government)
  2. During verification, the user shows only the required attributes — for example “I am over 18” or “This is my name and address”
  3. The company receives cryptographic proof that these attributes are correct, without permanently storing the underlying data
  4. The company stores: “Customer verified on [date]” — not the identity data itself

No central database to steal

The crucial difference: there is no central database with millions of identity documents. The data remains on the phones of individual users. A hacker who breaches a company’s system finds no passport copies or BSN numbers — because they simply aren’t there.

This isn’t a theoretical concept. Yivi is a working system that implements this principle. Municipalities like Nijmegen are already using it for digital services.

Authentication without interceptable codes

There’s another relevant aspect of the Odido hack: how the hackers bypassed 2FA by tricking employees into approving login requests.

With Yivi authentication, this problem doesn’t exist, for a simple reason: there are no codes or push notifications to intercept. Authentication happens via cryptographic proofs generated directly by the user on their own device. There’s no “code” that an employee can pass on or a “request” that can be approved by the wrong person.

This makes social engineering attacks on the authentication process fundamentally more difficult.

The broader question: how do we organize identification?

The Odido data breach isn’t just a technical security problem. It’s a symptom of a deeper issue: how has Dutch society organized identity verification?

Currently, we have a system where:

  • Thousands of organizations are legally required to collect identity data
  • This data is stored centrally in company databases
  • Every database is a potential target for hackers
  • A successful attack on one database can affect millions of citizens

The question isn’t whether companies should improve their security — they certainly should. The question is whether we shouldn’t think fundamentally differently about where identity data is stored.

The role of regulation

Current regulation pushes companies toward centralized storage. If the law requires that a telecom company can provide data to law enforcement, then that data must be stored somewhere. But GDPR simultaneously requires data minimization.

With the arrival of eIDAS 2.0 and the European Digital Identity Wallet, new possibilities emerge. This regulation recognizes the principle that citizens can manage their own identity data and share it selectively. This opens the door to systems where verification and storage are decoupled.

What could be different?

A future scenario: a telecom company verifies the identity of a new customer via a digital identity wallet. The verification is legally valid and meets legal requirements. But the company doesn’t store a passport copy — only the fact that verification took place.

If law enforcement later needs data, they can — with the proper legal basis — approach the customer directly, or via the municipality/government that issued the original identity attributes.

This requires changes in legislation, technical infrastructure, and how investigative powers are exercised. But it’s not science fiction — the building blocks already exist.

Conclusion: a system in transition

The Odido data breach is a painful lesson, but it would be unfair to place all blame on one company. Odido operated within a system that forces companies to store sensitive data centrally — and that system has inherent vulnerabilities.

The question for the coming years is: can we evolve toward a model where identity verification is possible without every organization managing a potentially leaking database of identity documents?

Decentralized identity systems offer an alternative perspective. Not as a miracle solution, but as a fundamentally different architecture where:

  • Data stays with the citizen instead of with companies
  • Verification works via cryptographic proofs instead of copies
  • A data breach at one organization doesn’t automatically expose millions of identity documents
  • Authentication doesn’t depend on interceptable codes

Whether this becomes the future depends on technological development, legislative choices, and the willingness of organizations to adapt their processes. But after the Odido data breach, the moment seems ripe to have this discussion seriously.

The technology for decentralized identity exists — Yivi is an example of this. The question is whether we as a society are willing to reconsider the way we organize identity.

More information

Sources about the Odido data breach: