The recent data breach at internet provider Odido, in which data from an estimated 6.2 million customers was stolen, raises critical questions about responsibility, transparency, and possible compensation. Although the incident is significant in scale, the telecom company states that data breach victims are not automatically entitled to compensation. That message was recently added to an information page about the incident this week.
According to Odido, there are currently no indications that customers have actually suffered damage as a result of the data breach. The company says that reports of phishing, for example, may be related to other incidents. “Based on the information currently available to Odido, we have no reason to believe that any damage is the result of the data breach at Odido,” the provider said.
Suspicious signals
At the same time, Odido emphasizes that it has proactively informed customers and urged them to be alert to suspicious signs. This is in line with the advice of the Dutch government’s Centraal Meldpunt Identiteitsfraude (CMI). The company also warns customers to be cautious about parties that give advice that deviates from the official guidelines. In doing so, Odido appears to be indirectly responding to organizations and lawyers who point to possible liability in the event of data breaches.
Compensation
Nevertheless, Odido’s communication raises questions. From a legal point of view, it is correct that a data breach does not automatically entitle the victim to compensation, but this does not mean that compensation is ruled out. In the European Union, organizations that process personal data are obliged to protect it adequately. If security measures prove to have been inadequate, liability may still be an issue.
Odido remains remarkably reticent about the cause of the leak. The company says it is working with external security experts and talks about a “thorough evaluation,” but does not provide any concrete details about how attackers gained access to the systems. According to reports by the NOS, the hack took place in a Salesforce environment where customer data was stored, possibly through a combination of phishing and social engineering. This points to human vulnerabilities and security processes that may have been insufficient.
Password
Odido also emphasizes that it did not send any emails asking customers to change their passwords and that the data breach in itself is not a reason to terminate contracts prematurely. That message may be intended to be reassuring, but it also underscores how difficult it is for customers to assess the risks of such an incident themselves.
The data breach at Odido shows how significant the impact can be when personal data ends up in the public domain, even if no direct damage can yet be demonstrated. Precisely for this reason, the question remains whether the emphasis on the lack of compensation is premature, as long as the full circumstances and possible consequences are still unclear.