June 24, 2026
Anatomy of a 6.2M Record Telecom Breach: When Vishing Meets Broken Access Control
How a simple social engineering attack bypassed a national telecom’s entire security perimeter, and the architectural failures that allowed…
By 0trust0day
4 min read
How a simple social engineering attack bypassed a national telecom's entire security perimeter, and the architectural failures that allowed tier-one support to share 6.2 million records (including military, secret service and government officials data).
If you look at the state of Information Security in the European telecom sector, everything appears flawless — on paper. The backs of directors and executives are covered by tons of documentation, compliance frameworks, regulations, and training manuals. However, the reality is that this security often exists only on paper. The recent case of Odido, one of the largest telecom providers in the Netherlands, perfectly illustrates this dangerous illusion.
Exfiltrating 6.2 million records containing home addresses, bank account numbers (IBANs), dates of birth, and identity document details is a catastrophic event on its own. But when that dataset includes the unredacted personal information of active operatives within the Dutch Secret Service (AIVD), the military, and the national judiciary, it elevates a corporate data breach to a severe national security crisis.
Furthermore, there is absolute chaos in the management of information security and technical infrastructure throughout the entire vertical management of the company. Customers are treated merely as cash cows, and any structured proposals or warnings highlighting vulnerabilities from the outside are blatantly ignored.
I am the person who not only brought this company to court first regarding this data breach, but who also warned the company's management well in advance that their structural chaos would inevitably lead to a catastrophic event.
What Happened?
The kill chain began with social engineering. Threat actors targeted the telecom's customer support and internal helpdesk tier. Vishing (voice phishing) bypasses traditional perimeter defenses by targeting the human element to acquire valid session tokens or credentials.
However, the acquisition of a Tier-1 support agent's credentials should not result in a 6.2 million record compromise. Good CISOs have known how to handle vishing and phishing effectively for years. The fact that a single compromised low-privilege account led to the mass exposure of addresses and bank accounts of national intelligence operatives points directly to gross negligence at the executive level.
The table below outlines the basic security systems that should have triggered, and why their failure rests entirely on the shoulders of the CISO and CEO.
When every single one of these fundamental controls fails simultaneously, it is not the fault of the targeted helpdesk employee; it is a systemic failure of corporate governance.
BUT! Next actions was incredible success for hackers. And how it was possible in the big company?
Broken Access Control & The "God Mode" CRM
The core technical vulnerability in this breach lies within the telecom's Customer Relationship Management (CRM) and billing infrastructure (widely reported to involve Salesforce integrations).
The Exploit Path and Excessive Read Permissions
In a properly configured environment, a helpdesk agent querying a database only receives the data explicitly required for the active customer ticket. In this scenario, the authorization matrix was fundamentally broken.
When the attacker hijacked the Tier-1 session, they inherited a token with excessive READ privileges across the entire customer database.
Conceptual PoC and API Endpoint Abuse — Very Easy Actions!
To understand how the exfiltration occurred without triggering immediate alarms, we have to look at the API endpoints serving the CRM frontend. Often, legacy or poorly configured telecom APIs fail to implement strict pagination limits or object-level authorization (BOLA/IDOR).
An attacker inspecting the network traffic of the CRM portal might observe a legitimate API call like this:
GET /api/v2/customers/search?phone=31612345678 HTTP/1.1
Host: crm.telecom-internal.local
Authorization: Bearer [Compromised_Tier1_Token]GET /api/v2/customers/search?phone=31612345678 HTTP/1.1
Host: crm.telecom-internal.local
Authorization: Bearer [Compromised_Tier1_Token]By manipulating the query parameters and exploiting the lack of server-side rate limiting and pagination enforcement, the attacker alters the request to dump sequential records or entire database clusters:
GET /api/v2/customers/export?region=ALL&limit=100000 HTTP/1.1
Host: crm.telecom-internal.local
Authorization: Bearer [Compromised_Tier1_Token]GET /api/v2/customers/export?region=ALL&limit=100000 HTTP/1.1
Host: crm.telecom-internal.local
Authorization: Bearer [Compromised_Tier1_Token]Because the Bearer token belongs to an authenticated internal user, the API gateway explicitly trusts the request. The application layer fails to validate if a Tier-1 agent has the business need to export 100,000 records at once. By automating this request, the attacker systematically exfiltrated 6.2 million records, including historical data of former clients.
The Incident Response
The most alarming aspect of this breach is not just the technical failure, but the subsequent Incident Response (IR) strategy. Following the leak, I initiated a legal summary proceeding (Kort Geding) at the Court of The Hague on 22 June 2026, demanding transparency, remediation, and accountability.
Instead of opening a dialogue on structural IT modernization, the corporate entity responded with what can only be described as a "Legal DDoS" attack. They deployed a six-man legal defense team from top-tier corporate firms (including Freshfields from "Magic Circle" who defends also King's families in UK and Kennedy Van der Laan) against a single consumer.
During the proceedings, it became evident that internal data in various registration systems was being altered and reactivated dynamically while the case was ongoing — a massive red flag for digital chain of custody and forensic integrity.
Why This Matters
The goal of pursuing this through the courts is not financial gain; it is to establish a hard legal precedent. When a CISO or CEO faces zero accountability for neglecting fundamental security architectures — such as API rate limiting and RBAC — while spending millions on reputational defense, the cybersecurity posture of an entire nation's critical infrastructure is compromised.
We cannot fix broken IT architectures if corporate legal teams are allowed to successfully obfuscate technical reality.
Bouncing back to the tech and cybersecurity
To prevent this specific attack vector in your infrastructure:
- Implement BOLA/IDOR Defenses. Ensure your API gateways validate object-level permissions for every single request, not just the initial login token.
- Strict Pagination & Rate Limiting. Hardcode maximum return limits on all internal APIs. A Tier-1 user should never be able to pull
limit=ALL. - Velocity-Based SIEM Alerts. Monitor the volume of
READrequests per user/token. Abnormal spikes in database queries from non-administrative accounts must trigger automated session termination. - Zero Trust for Internal Tools. Treat your internal CRM and helpdesk portals as if they are facing the public internet.
If you are researching the intersection of digital human rights, telecom vulnerabilities, and corporate legal accountability, the complete technical documentation and court filings from the June 22 proceedings are available for independent verification. Furthermore, I am currently preparing a major lawsuit on the merits (bodemprocedure). If you are interested in joining this effort to establish a legal precedent against corporate negligence, please reach out.