{"id":100862,"date":"2026-03-07T16:03:40","date_gmt":"2026-03-07T15:03:40","guid":{"rendered":"https:\/\/cultureelpersbureau.nl\/?p=100862"},"modified":"2026-03-07T16:03:44","modified_gmt":"2026-03-07T15:03:44","slug":"als-zelfs-een-telecombedrijf-het-niet-kan-voorkomen-wat-de-culturele-sector-kan-leren-van-de-odido-hack","status":"publish","type":"post","link":"https:\/\/cultureelpersbureau.nl\/en\/2026\/03\/als-zelfs-een-telecombedrijf-het-niet-kan-voorkomen-wat-de-culturele-sector-kan-leren-van-de-odido-hack\/","title":{"rendered":"When even a telecoms company can't prevent it: what the cultural sector can learn from the Odido hack"},"content":{"rendered":"

\u00a0Chances are you'll find it news about the hack<\/a><\/u><\/span> seen at telecom company Odido and then thought: big companies, big problems. That would be a mistake. For museums, theatres and other cultural institutions in particular, this data theft contains an uncomfortable lesson. SMEs (which include most of the cultural sector) are especially vulnerable.<\/p>\n\n\n\n

\u00a0I now know that my own data is in the captured dataset. Through the police control page<\/a><\/u><\/span> revealed that my e-mail address appears in the files captured by the attackers. This means that my personal data is probably also in that dataset. The consequence is simple: in the coming time - possibly even years - I will have to be extra vigilant for phishing emails, fake phone calls and other forms of digital scams. That's not a pleasant prospect. But most of all, it says something about the value of data in the hands of cybercriminals.<\/p>\n\n\n\n

\u00a0The power of combined data<\/b><\/h2>\n\n\n\n

\u00a0The stolen dataset contains combinations of personal data that are particularly useful to cybercriminals. Names, addresses, phone numbers, bank account numbers and possibly identity information. On their own, these may seem like innocuous data. When combined, however, they form a complete profile. With such profiles, criminals can commit very convincing fraud. An e-mail ostensibly from a bank, a phone call from someone pretending to be an employee of a telecom provider, or a request to confirm an account that is actually intended to gain access to other systems.<\/p>\n\n\n\n

\u00a0This kind of targeted fraud - often referred to as social engineering - has been on the rise for years. With the help of AI, this approach can become even more credible. Today, a well-written phishing email is easy to generate. The difference is made by the quality of the underlying data. And that is precisely where the first lesson for the cultural sector lies.<\/p>\n\n\n\n

\u00a0The attack did not come through the network<\/b><\/h2>\n\n\n\n

\u00a0What makes this Odido case so interesting is not only the extent of the data captured, but especially the way it was achieved. The classic image of the hacker working his way through digital walls and firewalls has not been true for some time. For a long time, cybersecurity revolved around one central question: how do you keep intruders out? That question is now outdated.<\/p>\n\n\n\n

\u00a0Indeed, the data theft at Odido did not involve an attack on the telecom network itself. According to initial analyses, access was gained through a customer service system: a CRM environment where attackers had captured employee login credentials through phishing. With that data, they could easily log in and then copy and release large amounts of customer data.<\/p>\n\n\n\n

\u00a0That detail is crucial. Organisations often invest huge sums in protecting their core systems. Telecom companies secure their network, banks their payment infrastructure. But the biggest vulnerabilities are often elsewhere in the digital (SaaS) chain: in CRM systems, marketing tools, ticketing platforms and other cloud environments where customer data converge. Precisely these are also the systems widely used in the cultural sector.<\/p>\n\n\n\n

\u00a0The reality by now is that the most effective attackers do not need to break in at all. They simply log in. In these kinds of incidents, it is rarely a technical leak in software, but a stolen identity: a password captured via phishing or for sale somewhere on the darkweb. So instead of breaking in, it is sneaking in - or even simpler: simply entering through the front door with valid login data. Identity has thus become the new primary target. With traditional digital walls and locks getting better and better, attackers are focusing on the keys themselves.<\/p>\n\n\n\n

\u00a0Added to this is a second development that is at least as worrying for security teams: the speed of modern attacks. Many digital attacks today take less than 10 minutes - too fast for human intervention. Detection and response that rely on manual monitoring simply cannot keep up with that pace anymore.<\/p>\n\n\n\n

The corollary is that organisations must fundamentally rethink their defences. Cybersecurity can no longer be exclusively reactive. In a world where attacks happen within minutes, organisations must shift to a proactive and largely automated defence posture. Only then will there still be a chance to stop attacks before the damage occurs.<\/p>\n\n\n\n

\u00a0Culture sector's digital infrastructure<\/b><\/h2>\n\n\n\n

\u00a0Every cultural institution today has a visitor database, a newsletter system, a donor database and a ticketing platform. Sometimes these are integrated, often they are scattered across multiple platforms that are interconnected. On top of that, many of these systems run as SaaS solutions with third-party vendors. This makes management more complex. Data moves between systems, users have different access rights and updates or security settings are partly beyond the direct control of the organisation itself.<\/p>\n\n\n\n

\u00a0Moreover, the sector is in the midst of a digital transformation. Audience data has become essential for marketing, fundraising and audience analysis. That makes that data valuable - but also risky.<\/p>\n\n\n\n

\u00a0The governance problem<\/b><\/h2>\n\n\n\n

\u00a0Underneath this technical complexity lies a governance problem that is recognisable in many organisations. Data belongs to everyone and, at the same time, to no one. The IT department manages the system. Marketing uses the data for campaigns. Customer service completes profiles. Compliance writes rules on privacy and security. But who is ultimately responsible for the risk this data represents? In many organisations, this is surprisingly unclear.<\/p>\n\n\n\n

\u00a0This usually only becomes apparent when an incident occurs. Then it turns out that no one had the full overview of where data was stored, who had access to it and exactly how it was protected. For cultural institutions, perhaps the most important lesson of the Odido hack lies here: cyber security does not start with technology, but with governance.<\/p>\n\n\n\n

\u00a0Boards, directors and supervisory boards need to realise that the data they collect - visitor information, membership records and donor files - is not only a valuable business asset, but also a potential vulnerability.<\/p>\n\n\n\n

\u00a0The insurance reality<\/b><\/h2>\n\n\n\n

\u00a0Another aspect often underexposed in the cultural sector is cyber insurance. Organisations are insured against many risks: fire, liability, damage to buildings or collections. However, cyber risks are still rarely covered structurally; research by DEN shows that less than 20% of cultural institutions have cyber insurance.<\/p>\n\n\n\n

\u00a0There are several reasons for this. Sometimes there is simply a lack of interest. But a more important problem is that insurers are looking more and more critically at the quality of cyber risk management. It is estimated that a large proportion of cyber insurance applications are rejected because organisations have insufficient control over their digital risks. This makes institutions especially vulnerable. Indeed, cyber insurance does not only cover financial losses. They often also provide direct incident response support: forensic investigations, communication with victims and restoration of systems. Such support can be crucial when an organisation is suddenly faced with a data breach or ransomware attack.<\/p>\n\n\n\n

\u00a0How insurers look at a hack<\/b><\/h2>\n\n\n\n

\u00a0For insurers, an incident like the one at Odido is assessed along several lines.<\/p>\n\n\n\n

    \n
  1. The first question is the extent of the data captured. When personal data, bank account numbers and identity details of large numbers of customers have been stolen, the costs can add up quickly. Think forensic investigations, legal proceedings, customer compensation and reputational damage.<\/li>\n\n\n\n
  2. The second question concerns the cause. Was there a sophisticated attack, or were there security deficiencies? Inadequate access management, poor monitoring or failure to follow up on security alerts can determine whether damage is covered under a policy.<\/li>\n\n\n\n
  3. Finally, insurers - as well as regulators - are increasingly looking at governance. How was data management organised and who bore responsibility for data protection?<\/li>\n<\/ol>\n\n\n\n

    \u00a0The latter point is becoming increasingly important. Authorities such as the Personal Data Authority can impose substantial fines for serious breaches.<\/p>\n\n\n\n

    \u00a0The long aftermath of a data breach<\/b><\/h2>\n\n\n\n

    Added to this is something else. Meanwhile, there are reports that mass claims are being prepared against Odido. If that actually happens, the legal and financial aftermath of this hack could last for years.<\/p>\n\n\n\n

    \u00a0For consumers, this means above all that they need to stay alert themselves. Stolen datasets rarely disappear from the internet. When organisations do not pay a ransom - which the police rightly advise - the data often continues to circulate on criminal marketplaces.<\/p>\n\n\n\n

    \u00a0But for cultural organisations, the most important lesson lies elsewhere.<\/p>\n\n\n\n

    \u00a0The reality for cultural institutions<\/b><\/h2>\n\n\n\n

    \u00a0The Odido case shows that even a telecom company with hundreds of IT specialists is not immune to data breaches. If such an organisation can prove vulnerable, it is wise for smaller institutions to ask themselves how well prepared they are themselves.<\/p>\n\n\n\n

    \u00a0The ransomware attack on the Veenkoloniaal Museum<\/a><\/u><\/span> is an illustrative example. In the process, name and address details, e-mail addresses, phone numbers and IBAN numbers of creditors, debtors and donors were also leaked. The attackers eventually posted this data on the dark web. The difference with Odido is mainly its scale and complexity. For cybercriminals, penetrating a small institution is often considerably easier, especially with the advent of AI-driven technology. After all, many museums and cultural organisations do not have their own cybersecurity team. (And they also do not have cyber insurance that would allow them to catch an attack immediately).<\/p>\n\n\n\n

    \u00a0From incident to responsibility<\/b><\/h2>\n\n\n\n

    \u00a0The reaction after cybercrime is similar. People talk about an \u201cincident\u201d or a \u201cdata breach\u201d, as if it were a form of storm damage that simply could not be prevented. In doing so, the problem shifts unnoticed to the victims. Citizens are advised to be alert, change their passwords and report suspicious messages. But organisations have a responsibility of their own. Managing cyber risks is no longer a luxury. It is part of good governance.<\/p>\n\n\n\n

    \u00a0For cultural institutions, this means that cyber security is no longer just a technical issue, but a strategic one. It is about data management, governance, responsibilities and risk awareness.<\/p>\n\n\n\n

    \u00a0Above all, the hack at Odido shows that digital vulnerabilities are no longer the exception. Even organisations with huge IT budgets can be affected. For the cultural sector, the conclusion is therefore simple but uncomfortable: waiting for things to go wrong is not a strategy. Cyber risks must be actively managed - before an incident forces the organisation to do so.<\/p>\n\n\n\n

    DEN organises<\/a><\/u><\/span> regular meetings on cybersecurity for the cultural sector. On 19 March and 13 May, for instance, there are (online) meetings on this topic.<\/p>\n\n\n\n

    \u00a0For those who want to go deeper, here are two recent reports on cybersecurity:<\/p>\n\n\n\n

      \n
    1. Cloudeflare Threat Report 2026<\/a> <\/li>\n\n\n\n
    2. Proton SME report 2026 <\/a><\/div><\/div><\/li>\n<\/ol>","protected":false},"excerpt":{"rendered":"

      Zelfs een telecombedrijf met honderden IT-specialisten bleek niet in staat een datalek te voorkomen. De Odido-hack laat zien hoe kwetsbaar organisaties zijn wanneer identiteit en data centraal staan. Voor musea en culturele instellingen ligt de belangrijkste les niet in techniek, maar in governance en risicobewust bestuur.<\/p>","protected":false},"author":1273,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_eb_attr":"","_themeisle_gutenberg_block_has_review":false,"_jetpack_memberships_contains_paid_content":false,"activitypub_content_warning":"","activitypub_content_visibility":"","activitypub_max_image_attachments":3,"activitypub_interaction_policy_quote":"anyone","activitypub_status":"federated","footnotes":"","jetpack_publicize_message":"Guido van Nispen schrijft: \"Zelfs een telecombedrijf met honderden IT-specialisten bleek niet in staat een datalek te voorkomen. De Odido-hack laat zien hoe kwetsbaar organisaties zijn wanneer identiteit en data centraal staan.\"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[15614,10340,11687],"tags":[15741,16510],"class_list":["post-100862","post","type-post","status-publish","format-standard","hentry","category-beleid","category-erfgoed","category-donatie-gevraagd","tag-artificiele-intelligentie","tag-cyberveiligheid"],"views":2453,"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack-related-posts":[{"id":100931,"url":"https:\/\/cultureelpersbureau.nl\/en\/2026\/03\/cyber-hacks-101-van-ethische-hackers-tot-criminele-bendes-wat-bestuurders-en-toezichthouders-in-de-cultuursector-moeten-weten-over-moderne-cyberdreigingen\/","url_meta":{"origin":100862,"position":0},"title":"Cyber hacks 101: what directors and regulators in the cultural sector need to know","author":"Guido van Nispen","date":"15 March 2026","format":false,"excerpt":"Guido van Nispen writes: \u201cIn a sector that thrives on public trust, cyber resilience has long since ceased to be back-office hygiene. It has become part of the cultural infrastructure itself.\u201d...","rel":"","context":"In "beleid"","block_context":{"text":"beleid","link":"https:\/\/cultureelpersbureau.nl\/en\/genre\/beleid\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":100680,"url":"https:\/\/cultureelpersbureau.nl\/en\/2026\/02\/de-mythe-van-de-digitale-rijbaan-waarom-de-culturele-sector-niet-even-kan-overstappen-op-soevereine-europese-it\/","url_meta":{"origin":100862,"position":1},"title":"The myth of the digital lane: Why the cultural sector cannot \u2018briefly\u2019 switch to sovereign European IT","author":"Guido van Nispen","date":"15 February 2026","format":false,"excerpt":"Digital sovereignty sounds attractive, but it is not a simple conversion. The comparison with Sweden's Days H masks the complex digital reality in which cultural institutions operate. On dependency, cyber risks and governance reality - and why realism is more urgent than ambition. Read why.","rel":"","context":"In "beleid"","block_context":{"text":"beleid","link":"https:\/\/cultureelpersbureau.nl\/en\/genre\/beleid\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":100551,"url":"https:\/\/cultureelpersbureau.nl\/en\/2026\/01\/musea-zijn-soft-targets-waarom-is-cyberveiligheid-nog-altijd-geen-serieuze-bestuurszaak\/","url_meta":{"origin":100862,"position":2},"title":"Museums are soft targets - Why is cybersecurity still not a serious governance issue?","author":"Guido van Nispen","date":"27 January 2026","format":false,"excerpt":"Museums romanticise physical theft but underestimate digital vulnerability. This article shows why cyber incidents are not bad luck, but governance failures - and why digital resilience is now as fundamental as depot or fire safety.","rel":"","context":"In "beleid"","block_context":{"text":"beleid","link":"https:\/\/cultureelpersbureau.nl\/en\/genre\/beleid\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":100180,"url":"https:\/\/cultureelpersbureau.nl\/en\/2025\/12\/cultureel-toezicht-2-0-met-moed-maar-nog-zonder-digitale-bril\/","url_meta":{"origin":100862,"position":3},"title":"Cultural supervision 2.0: with courage, but still without digital glasses","author":"Guido van Nispen","date":"27 December 2025","format":false,"excerpt":"Toezicht in de culturele sector is geen bijzaak meer, maar het toneel waarop vertrouwen wordt gewonnen of verloren. Het NVTC-jaarcongres liet zien dat de urgentie wordt gevoeld, maar ook hoe groot de kloof is tussen inzicht en handelingsvermogen. Niet incidenten, maar structurele kwetsbaarheden bepalen waarom toezicht vaak te laat opschaalt.\u2026","rel":"","context":"In "ACTUEEL"","block_context":{"text":"ACTUEEL","link":"https:\/\/cultureelpersbureau.nl\/en\/genre\/nieuws\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":100619,"url":"https:\/\/cultureelpersbureau.nl\/en\/2026\/02\/arttech-wordt-in-2026-volwassen-en-daarmee-ongemakkelijk\/","url_meta":{"origin":100862,"position":4},"title":"Art+Tech comes of age in 2026 - and with it, uncomfortable","author":"Guido van Nispen","date":"4 February 2026","format":false,"excerpt":"Art and Technology in 2026 not as a prediction of the future, but as a mirror. It shows how art and technology are outgrowing their experimental phase and colliding with power, institutions and choices already made today","rel":"","context":"In "ACTUEEL"","block_context":{"text":"ACTUEEL","link":"https:\/\/cultureelpersbureau.nl\/en\/genre\/nieuws\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":101180,"url":"https:\/\/cultureelpersbureau.nl\/en\/2026\/04\/de-culturele-sector-omarmt-ai-voorzichtig-en-vooral-binnenskamers\/","url_meta":{"origin":100862,"position":5},"title":"Cultural sector embraces AI cautiously and mostly indoors","author":"Guido van Nispen","date":"13 April 2026","format":false,"excerpt":"De culturele sector spreekt graag over AI, maar op de vloer blijft het publieke gebruik nog opvallend beperkt. Juist achter de schermen gaat het sneller. Daar nestelt AI zich in systemen en processen, ver weg van het zicht van bezoekers. En dat is jammer omdat culturele instellingen juist zo goed\u2026","rel":"","context":"In "ACTUEEL"","block_context":{"text":"ACTUEEL","link":"https:\/\/cultureelpersbureau.nl\/en\/genre\/nieuws\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]}],"jetpack_shortlink":"https:\/\/wp.me\/p3yKke-qeO","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/cultureelpersbureau.nl\/en\/wp-json\/wp\/v2\/posts\/100862","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cultureelpersbureau.nl\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cultureelpersbureau.nl\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cultureelpersbureau.nl\/en\/wp-json\/wp\/v2\/users\/1273"}],"replies":[{"embeddable":true,"href":"https:\/\/cultureelpersbureau.nl\/en\/wp-json\/wp\/v2\/comments?post=100862"}],"version-history":[{"count":2,"href":"https:\/\/cultureelpersbureau.nl\/en\/wp-json\/wp\/v2\/posts\/100862\/revisions"}],"predecessor-version":[{"id":100866,"href":"https:\/\/cultureelpersbureau.nl\/en\/wp-json\/wp\/v2\/posts\/100862\/revisions\/100866"}],"wp:attachment":[{"href":"https:\/\/cultureelpersbureau.nl\/en\/wp-json\/wp\/v2\/media?parent=100862"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cultureelpersbureau.nl\/en\/wp-json\/wp\/v2\/categories?post=100862"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cultureelpersbureau.nl\/en\/wp-json\/wp\/v2\/tags?post=100862"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}