The Salesforce data breach at Dutch telecom provider Odido in early 2026 illustrates a broader shift in enterprise technology governance. Platforms such as CRM and marketing automation have evolved from operational tools into critical commercial infrastructure. When incidents occur in these systems, the consequences extend far beyond IT.
What initially appeared to be a cybersecurity incident quickly became a business issue for Odido, influencing customer behaviour and raising questions about the governance of enterprise customer platforms. For companies preparing for IPOs, mergers, or spin-offs, the governance of CRM and marketing platforms is no longer simply a technical matter. It is a boardroom issue.
The infrastructure misclassification
There is a persistent tendency in large enterprises to classify systems like Salesforce CRM and marketing automation tools as operational infrastructure — used primarily for campaigns, reporting, and lead management. In reality, these platforms have evolved into the commercial operating systems of modern enterprises.
They increasingly contain the most sensitive and strategically important data in the organisation: customer identity data, consent histories, behavioural and transactional information, and integrations across sales, marketing, and customer service systems. These platforms sit at the intersection of customer trust, regulatory exposure, and revenue generation. When governance of these systems fails, the consequences quickly move beyond the IT department.
“Systems such as Salesforce CRM are no longer simply marketing or sales tools. They form part of the commercial infrastructure that underpins how organisations acquire, serve, and retain customers.”
A recurring risk in transformation programmes
In large digital transformation programmes, this governance pattern appears repeatedly. It is particularly acute in organisations undergoing major corporate events: mergers and acquisitions, spin-offs or carve-outs, and IPO preparation.
These events create concentrated periods of change in system architecture, data ownership, and access control. Legacy permissions persist as organisations are restructured. Data flows that were appropriate in one corporate structure become compliance exposures in another. Access controls that reflected operational realities in 2022 may no longer reflect the post-transaction organisation of 2026.
Governance of customer data increasingly becomes a valuation issue rather than just an operational concern. Acquirers and investors have begun to include CRM data quality, consent record integrity, and access control hygiene in due diligence assessments. The Odido case makes clear why: a governance failure in commercial infrastructure is not just an IT incident. It is a commercial and reputational event.
Key takeaway
The Odido case highlights an important shift in how enterprise platforms should be understood. For companies preparing for significant corporate events — IPOs, acquisitions, or spin-offs — governance of customer platforms deserves attention at the highest levels of the organisation.
Security, access control, and data governance within these systems directly influence the resilience of the company’s commercial engine. And as the Odido breach illustrates, failures in that infrastructure can move from the IT department to the boardroom remarkably quickly.
The governance question is not whether your CRM is secure in an IT sense. It is whether the access controls, data flows, and consent infrastructure that sit within your commercial platform reflect the actual current state of your organisation — its ownership structure, its regulatory obligations, and the customer trust it depends on.
The Gravity Scan maps your marketing stack across 28 assessment areas — identifying where foundation maturity is sufficient, where it is not, and what to address before the next AI investment decision.