You have likely seen it come up (or even fallen victim to it): the data breach at Dutch telecom provider Odido. It quickly grew into one of the largest cybersecurity incidents in the Netherlands: millions of customer records ended up in the hands of the hacker group ShinyHunters. What initially started as a technical issue rapidly developed into a communication crisis, where lack of clarity and delays from ODIDO further strained customer trust.
Reports from outlets such as NOS and NRC highlighted that customers were left with fundamental questions for weeks. What data exactly was leaked? Was it only contact details or also identity numbers? And why were even former customers' data still stored? When hackers threatened to publish and ultimately did put data online, the focus shifted from the incident itself to the management of communication. This makes for an interesting case in the PR world.
Uncertainty fuels mistrust
Notably, new details often surfaced through journalists rather than the company itself. This creates the image of an organization that reacts rather than leads - while in a crisis, it matters not only what you say but especially when and how. An Odido spokesperson declared in the media: “Currently, all our efforts are aimed at informing and supporting customers as best we can regarding what has happened.”
This wording is empathetic and careful, but in a crisis of this magnitude, empathy is merely the beginning. Customers want concrete clarification of their personal risks and clear instructions on next steps. Moreover, we just mentioned in the introduction of this blog that customers were actually waiting a long time for clarity, which contradicts the notion of “informing and supporting customers as best we can.”
The role of leadership and preparation
Especially in data breaches, where privacy and security directly impact people's daily lives, the public expects visible leadership. In previous blogs on media training and crisis communication, we already emphasized that spokespersons should not only be substantively strong but also communicate consistently and understandably under pressure.
A crisis calls for more than one statement on the website: transparency about what is known, honesty about what is still being investigated, and clear explanations about what customers can do now. ODIDO’s inability to explain, for example, why they kept personal data of former customers for more than 2 years, once again does not work in their favor.
When communication occurs in phases or is incomplete, the explanation must be all the more comprehensible. That ODIDO then did not pay the hackers, leading to the data being posted on the dark web, caused even more misunderstanding among consumers. The explanation from an ODIDO spokesperson was “Our focus is on customers,” but many customers would have preferred the data not be published.
The lesson for PR teams
The data breach at Odido shows that reputational damage is rarely caused solely by the incident itself, but mainly by how an organization communicates as the incident unfolds.
A data breach can happen to any company because a digital security layer is never completely watertight. Thus, a crisis is sometimes unavoidable, but with consistent, transparent, and human-centered communication, a communication crisis does not have to be.
