Following a significant data security incident in 2026, Odido — one of the Netherlands' leading telecommunications providers — required expert support for post-incident forensic analysis, regulatory response, and the development of a comprehensive strategy to rebuild their data security and governance posture. The incident had exposed significant vulnerabilities in their data architecture and governance framework, and the organisation needed both immediate remediation and a long-term strategy for building a genuinely secure and governed data environment.
In late 2026, Odido experienced a significant data security incident that resulted in unauthorised access to customer personal data. The incident triggered immediate regulatory obligations under GDPR Article 33 — requiring notification to the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) within 72 hours — and created urgent operational, reputational, and legal challenges.
MDN.digital was engaged within hours of the incident being confirmed, providing the technical expertise and regulatory knowledge required to navigate the immediate response while simultaneously beginning the forensic investigation.
The forensic investigation was the most time-critical element of the engagement. GDPR requires that the supervisory authority notification include, to the extent possible, the nature of the breach, the categories and approximate number of individuals affected, and the likely consequences. Producing this information within 72 hours required rapid, structured forensic work.
The forensic team's first priority was understanding how the attacker gained access. This involved analysis of authentication logs, network traffic records, and system access patterns in the period preceding the incident. The analysis identified the initial attack vector, the lateral movement path through Odido's systems, and the data systems that were accessed.
The data impact assessment — determining exactly what personal data was accessed or exfiltrated — was the most complex element of the forensic investigation. This required correlating attacker activity logs with data access records, data classification information, and the data models of affected systems.
Odido's existing data governance infrastructure, while not comprehensive, provided sufficient lineage and classification information to accelerate the impact assessment significantly. The combination of existing metadata and forensic analysis allowed the team to produce a data impact assessment that was sufficiently detailed for the regulatory notification within the required timeframe.
MDN.digital supported Odido's legal and compliance teams in preparing the supervisory authority notification, ensuring that the technical findings of the forensic investigation were accurately reflected in the regulatory submission. The notification was submitted within the 72-hour window, with a commitment to provide supplementary information as the investigation progressed.
The subsequent regulatory engagement — including the Autoriteit Persoonsgegevens' follow-up investigation — was supported by MDN.digital's ongoing forensic and governance work, providing the technical evidence required to demonstrate the scope of the incident and the adequacy of Odido's response.
Following the immediate incident response, MDN.digital was engaged to develop a comprehensive data security and governance strategy — addressing not just the specific vulnerabilities exposed by the incident, but the broader governance gaps that had contributed to the organisation's risk exposure.
A comprehensive assessment of Odido's data governance maturity was conducted, covering data ownership, data quality, access controls, retention practices, and privacy compliance. The assessment identified significant gaps: inconsistent data classification, overly permissive access controls, inadequate data retention enforcement, and insufficient monitoring of data access patterns.
The assessment provided the factual foundation for the governance strategy — ensuring that the strategy addressed real, documented gaps rather than theoretical risks.
The security architecture review examined Odido's data infrastructure from a security perspective, identifying architectural vulnerabilities that had contributed to the incident and that created ongoing risk. The review covered network segmentation, authentication and authorisation mechanisms, encryption at rest and in transit, and monitoring and detection capabilities.
The governance and security roadmap was structured in three phases, balancing the urgency of addressing critical vulnerabilities with the operational reality of implementing changes in a complex telecommunications environment.
Phase 1 (0–3 months): Critical Remediation — Addressing the specific vulnerabilities identified in the forensic investigation, implementing enhanced monitoring and detection, and establishing the immediate governance controls required for regulatory compliance.
Phase 2 (3–9 months): Governance Foundation — Implementing a comprehensive data governance framework, including data classification and tagging, access control rationalisation, automated retention enforcement, and a data catalogue covering all personal data assets.
Phase 3 (9–18 months): Resilience and Maturity — Building the long-term governance and security capabilities required for a genuinely resilient data posture: privacy by design in all new data initiatives, continuous security monitoring, regular governance audits, and a data literacy programme for all staff.
MDN.digital supported the implementation of Phase 1 and Phase 2 of the roadmap, working alongside Odido's internal teams to implement the governance and security controls defined in the strategy.
Microsoft Purview was implemented as the central data governance platform, providing automated data classification, lineage tracking, and a unified catalogue of all personal data assets. The implementation covered Odido's Azure data estate, providing the visibility into personal data holdings that had been absent before the incident.
Access controls were rationalised across all data systems, implementing the principle of least privilege and establishing a formal access review process. Automated retention enforcement was implemented for the highest-risk personal data categories, with audit logging to demonstrate compliance.
The post-breach engagement transformed what was initially a crisis response into a strategic governance improvement programme. Odido emerged from the incident with a significantly stronger data governance and security posture than they had before it — with the documentation, controls, and monitoring infrastructure required to demonstrate compliance to regulators and customers.
The programme also delivered unexpected operational benefits. The data classification and governance work revealed significant data duplication and redundant systems, the elimination of which contributed to a 35% reduction in data infrastructure costs. The improved data quality and lineage visibility accelerated analytics and reporting workflows, delivering productivity improvements across the organisation.
The regulatory outcome — while involving a financial penalty for the original incident — was significantly more favourable than it might have been, reflecting the thoroughness of Odido's forensic response, the quality of their regulatory engagement, and the credibility of their remediation programme.
MDN.digital provided end-to-end post-incident support: forensic analysis and impact assessment, regulatory response support, and the design and implementation of a comprehensive data security and governance strategy.
Majid Al Futtaim, one of the Middle East's leading retail and real estate conglomerates, sought to transform their custo...
Vesting Finance, a Dutch financial services organisation, was operating a complex on-premise data infrastructure that wa...