Chances are you'll find it news about the hack seen at telecom company Odido and then thought: big companies, big problems. That would be a mistake. For museums, theatres and other cultural institutions in particular, this data theft contains an uncomfortable lesson. SMEs (which include most of the cultural sector) are especially vulnerable.
I now know that my own data is in the captured dataset. Through the police control page revealed that my e-mail address appears in the files captured by the attackers. This means that my personal data is probably also in that dataset. The consequence is simple: in the coming time - possibly even years - I will have to be extra vigilant for phishing emails, fake phone calls and other forms of digital scams. That's not a pleasant prospect. But most of all, it says something about the value of data in the hands of cybercriminals.
The power of combined data
The stolen dataset contains combinations of personal data that are particularly useful to cybercriminals. Names, addresses, phone numbers, bank account numbers and possibly identity information. On their own, these may seem like innocuous data. When combined, however, they form a complete profile. With such profiles, criminals can commit very convincing fraud. An e-mail ostensibly from a bank, a phone call from someone pretending to be an employee of a telecom provider, or a request to confirm an account that is actually intended to gain access to other systems.
This kind of targeted fraud - often referred to as social engineering - has been on the rise for years. With the help of AI, this approach can become even more credible. Today, a well-written phishing email is easy to generate. The difference is made by the quality of the underlying data. And that is precisely where the first lesson for the cultural sector lies.
The attack did not come through the network
What makes this Odido case so interesting is not only the extent of the data captured, but especially the way it was achieved. The classic image of the hacker working his way through digital walls and firewalls has not been true for some time. For a long time, cybersecurity revolved around one central question: how do you keep intruders out? That question is now outdated.
Indeed, the data theft at Odido did not involve an attack on the telecom network itself. According to initial analyses, access was gained through a customer service system: a CRM environment where attackers had captured employee login credentials through phishing. With that data, they could easily log in and then copy and release large amounts of customer data.
That detail is crucial. Organisations often invest huge sums in protecting their core systems. Telecom companies secure their network, banks their payment infrastructure. But the biggest vulnerabilities are often elsewhere in the digital (SaaS) chain: in CRM systems, marketing tools, ticketing platforms and other cloud environments where customer data converge. Precisely these are also the systems widely used in the cultural sector.
The reality by now is that the most effective attackers do not need to break in at all. They simply log in. In these kinds of incidents, it is rarely a technical leak in software, but a stolen identity: a password captured via phishing or for sale somewhere on the darkweb. So instead of breaking in, it is sneaking in - or even simpler: simply entering through the front door with valid login data. Identity has thus become the new primary target. With traditional digital walls and locks getting better and better, attackers are focusing on the keys themselves.
Added to this is a second development that is at least as worrying for security teams: the speed of modern attacks. Many digital attacks today take less than 10 minutes - too fast for human intervention. Detection and response that rely on manual monitoring simply cannot keep up with that pace anymore.
The corollary is that organisations must fundamentally rethink their defences. Cybersecurity can no longer be exclusively reactive. In a world where attacks happen within minutes, organisations must shift to a proactive and largely automated defence posture. Only then will there still be a chance to stop attacks before the damage occurs.
Culture sector's digital infrastructure
Every cultural institution today has a visitor database, a newsletter system, a donor database and a ticketing platform. Sometimes these are integrated, often they are scattered across multiple platforms that are interconnected. On top of that, many of these systems run as SaaS solutions with third-party vendors. This makes management more complex. Data moves between systems, users have different access rights and updates or security settings are partly beyond the direct control of the organisation itself.
Moreover, the sector is in the midst of a digital transformation. Audience data has become essential for marketing, fundraising and audience analysis. That makes that data valuable - but also risky.
The governance problem
Underneath this technical complexity lies a governance problem that is recognisable in many organisations. Data belongs to everyone and, at the same time, to no one. The IT department manages the system. Marketing uses the data for campaigns. Customer service completes profiles. Compliance writes rules on privacy and security. But who is ultimately responsible for the risk this data represents? In many organisations, this is surprisingly unclear.
This usually only becomes apparent when an incident occurs. Then it turns out that no one had the full overview of where data was stored, who had access to it and exactly how it was protected. For cultural institutions, perhaps the most important lesson of the Odido hack lies here: cyber security does not start with technology, but with governance.
Boards, directors and supervisory boards need to realise that the data they collect - visitor information, membership records and donor files - is not only a valuable business asset, but also a potential vulnerability.
The insurance reality
Another aspect often underexposed in the cultural sector is cyber insurance. Organisations are insured against many risks: fire, liability, damage to buildings or collections. However, cyber risks are still rarely covered structurally; research by DEN shows that less than 20% of cultural institutions have cyber insurance.
There are several reasons for this. Sometimes there is simply a lack of interest. But a more important problem is that insurers are looking more and more critically at the quality of cyber risk management. It is estimated that a large proportion of cyber insurance applications are rejected because organisations have insufficient control over their digital risks. This makes institutions especially vulnerable. Indeed, cyber insurance does not only cover financial losses. They often also provide direct incident response support: forensic investigations, communication with victims and restoration of systems. Such support can be crucial when an organisation is suddenly faced with a data breach or ransomware attack.
How insurers look at a hack
For insurers, an incident like the one at Odido is assessed along several lines.
- The first question is the extent of the data captured. When personal data, bank account numbers and identity details of large numbers of customers have been stolen, the costs can add up quickly. Think forensic investigations, legal proceedings, customer compensation and reputational damage.
- The second question concerns the cause. Was there a sophisticated attack, or were there security deficiencies? Inadequate access management, poor monitoring or failure to follow up on security alerts can determine whether damage is covered under a policy.
- Finally, insurers - as well as regulators - are increasingly looking at governance. How was data management organised and who bore responsibility for data protection?
The latter point is becoming increasingly important. Authorities such as the Personal Data Authority can impose substantial fines for serious breaches.
The long aftermath of a data breach
Added to this is something else. Meanwhile, there are reports that mass claims are being prepared against Odido. If that actually happens, the legal and financial aftermath of this hack could last for years.
For consumers, this means above all that they need to stay alert themselves. Stolen datasets rarely disappear from the internet. When organisations do not pay a ransom - which the police rightly advise - the data often continues to circulate on criminal marketplaces.
But for cultural organisations, the most important lesson lies elsewhere.
The reality for cultural institutions
The Odido case shows that even a telecom company with hundreds of IT specialists is not immune to data breaches. If such an organisation can prove vulnerable, it is wise for smaller institutions to ask themselves how well prepared they are themselves.
The ransomware attack on the Veenkoloniaal Museum is an illustrative example. In the process, name and address details, e-mail addresses, phone numbers and IBAN numbers of creditors, debtors and donors were also leaked. The attackers eventually posted this data on the dark web. The difference with Odido is mainly its scale and complexity. For cybercriminals, penetrating a small institution is often considerably easier, especially with the advent of AI-driven technology. After all, many museums and cultural organisations do not have their own cybersecurity team. (And they also do not have cyber insurance that would allow them to catch an attack immediately).
From incident to responsibility
The reaction after cybercrime is similar. People talk about an “incident” or a “data breach”, as if it were a form of storm damage that simply could not be prevented. In doing so, the problem shifts unnoticed to the victims. Citizens are advised to be alert, change their passwords and report suspicious messages. But organisations have a responsibility of their own. Managing cyber risks is no longer a luxury. It is part of good governance.
For cultural institutions, this means that cyber security is no longer just a technical issue, but a strategic one. It is about data management, governance, responsibilities and risk awareness.
Above all, the hack at Odido shows that digital vulnerabilities are no longer the exception. Even organisations with huge IT budgets can be affected. For the cultural sector, the conclusion is therefore simple but uncomfortable: waiting for things to go wrong is not a strategy. Cyber risks must be actively managed - before an incident forces the organisation to do so.
For those who want to go deeper, here are two recent reports on cybersecurity:
Nederlands 
English (UK) 
Français 