Identity Theft and Data Breaches

Click Less, Verify More

Most online problems arise from haste. Most protection comes from brief, calm verification.

In Identity Theft and Data Breaches the gain lies in routine: verifying through a second channel and not acting under digital pressure.

The goal is not perfection, but predictably safe behaviour that holds up even on busy days.

Immediate measures (15 minutes)

• Apply basic measures immediately: MFA, password manager and updates.
• Use secure default settings for privacy, browser and device.
• Record a recovery plan for account loss, fraud or data breach.

Why this matters

The core of Identity Theft and Data Breaches is risk reduction in practice. Technical context supports the choice of measures, but implementation and embedding are central.

The story of the GGD employees who took a peek at your file

In January 2021, the Netherlands woke up with a hangover that had nothing to do with New Year's Eve. Two employees of the GGD had offered the personal data of millions of Dutch people for sale on Telegram. Name, address, phone number, BSN, test results — all available for a few hundred euros to the highest bidder. It was not a brilliant feat of hacking with black hoodies and flickering screens. They were simply two people with a login account and a lack of decency.

That is the uncomfortable truth about data breaches: you can do everything right yourself — strong passwords, two-factor verification, the whole nine yards — and then an organisation you trusted still leaks your data like a sieve. You have exactly zero control over that. But you do have control over what happens afterwards. And that is what this chapter is about.

What is a data breach, exactly?

A data breach sounds technical, but it is actually quite simple: it means that data that should have remained private has ended up in the wrong hands. This can happen in various ways:

1. A hack — someone digitally breaks into a company and steals customer data
2. A human error — an employee sends an Excel file with a thousand customer addresses to the wrong person
3. A malicious insider — as with the GGD, someone with access who abuses that access
4. A lost laptop or USB stick — with unencrypted data on it

And it is not just passwords. In data breaches, the following data can end up exposed:

Type of data	Risk if it leaks
Email address + password	Logging into your accounts (especially if you reuse passwords)
Name + address + date of birth	Identity fraud, fake accounts in your name
BSN (citizen service number)	Fraud with government agencies, tax returns filed in your name
Bank details	Theft of money, fraudulent direct debits
Medical data	Blackmail, discrimination by insurers
Phone number	SIM-swapping, phishing via SMS

The frustrating thing is: you often only notice months later. Your data is collected, resold, combined with data from other breaches, and only then used. It is like someone quietly copying a key to your house — you only notice when they walk in.

Check whether your data has been leaked

There is a website you can use to check whether your email address appears in known data breaches. The site is called Have I Been Pwned (loosely translated: "Have I been got?") and was created by security researcher Troy Hunt. It is free, reliable, and recommended by governments worldwide.

How to use Have I Been Pwned

1. Open your browser and go to haveibeenpwned.com
2. You will see a large search field at the top of the page with the text "email address"
3. Type your email address there — the address you use most
4. Click the "pwned?" button
5. You will now get one of two results:
   • Green screen: "Good news — no pwnage found!" — your email address was not found in known breaches
   • Red screen: "Oh no — pwned!" — your email address was found in one or more data breaches
6. If it is red: scroll down. You will see a list of data breaches in which your email address appears, with details of which data was leaked in each breach
7. Repeat this for all your email addresses (work, personal, that old Hotmail address)

Tip: You can also sign up for notifications. Click "Notify me" at the top of the page and enter your email address. You will then automatically be notified if your data appears in a future data breach.

What do you do if you appear in one?

No panic. Appearing in a data breach does not automatically mean something bad has happened. But it does mean you need to act:

1. Immediately change the password of the service that was breached
2. Change that password everywhere you have used the same password (and stop doing that — use a password manager)
3. Enable two-factor verification at that service if possible
4. Pay extra attention over the coming weeks to strange emails, text messages or phone calls

Your BSN is sacred — treat it that way

Your citizen service number (BSN) is the key to your digital identity with the government. With your BSN, someone can:

• File a tax return in your name
• Apply for benefits in your name
• Claim medical treatments
• Register a company

And yet all sorts of organisations cheerfully ask for it, as if it were your customer number at the video shop. Here is the thing: most organisations are not allowed to ask for your BSN at all.

Who is allowed to ask for your BSN?

May ask	May not ask
The Tax Authority	Your gym
Your employer	Your phone provider
Your bank (when opening an account)	An online shop
Your health insurer	Your landlord
The municipality	A car rental company
Educational institutions	An energy supplier*

*Energy suppliers may only ask for your BSN in specific cases for energy tax purposes, not as a standard practice.

Ground rules for your BSN

1. Never give your BSN via email, phone or WhatsApp — a legitimate organisation will not ask for it through those channels
2. Always ask why an organisation needs your BSN and under which law
3. If in doubt: don't give it — you can always provide it later
4. Store documents containing your BSN under lock and key — physically and digitally

Sharing a copy of your ID safely

Sometimes you need to send a copy of your identity document. For a new job, a new landlord, or when signing up for certain services. But an unprotected copy of your ID is gold for fraudsters.

The KopieID app

The Dutch government has created a free app that lets you make a secure copy of your identity document. The app is called KopieID and is available for both Android and iPhone.

1. Download the KopieID app from the App Store or Google Play Store
2. Open the app and take a photo of your identity document
3. The app now lets you add a watermark with:
   • For whom the copy is (for example "Housing Corporation Hestia")
   • The date on which you make the copy
4. You can have your BSN crossed out if the recipient does not need it
5. You can also have your passport photo blurred if that is not needed
6. The app automatically adds the watermark "KOPIE" (COPY) across the entire document
7. Save the secured copy or share it directly

Tip: Never send an unprotected photo of your ID via WhatsApp or email. Always use the KopieID app. It takes two minutes and can save you years of trouble.

Recognising identity fraud

Identity fraud is insidious because it often only becomes apparent once the damage has already been done. Watch out for these warning signs:

• Letters from debt collectors for debts you did not incur
• Rejection of a mortgage or loan while you have always paid on time
• Bills or subscriptions you did not take out
• Letters from the Tax Authority about income you did not have
• Your DigiD account suddenly stops working or there are login attempts you do not recognise
• Strange debits on your bank account
• You stop receiving post (someone may have changed your address)
• A healthcare provider calls about an appointment you did not make

Note: One of the most common forms of identity fraud in the Netherlands is taking out phone subscriptions in someone else's name. If you suddenly receive a welcome letter from a provider you are not a customer of, take it seriously.

Checking your BKR registration

The Bureau Krediet Registratie (BKR) in Tiel keeps track of which loans and credits are registered in your name. If someone commits fraud using your identity, this may be visible in your BKR registration.

How to check your BKR registration

1. Go to mijnbkr.nl
2. Create an account (or log in if you already have one)
3. You need to verify your identity — this can be done via iDIN (logging in via your bank) or with your identity document
4. After verification you can view your Personal Credit Overview
5. Check whether all listed credits and loans are genuinely yours
6. See something you do not recognise? Contact the relevant lender and the BKR immediately

Tip: Check your BKR registration at least once a year, just like you have an MOT done on your car. It takes a few minutes and you immediately know if something odd is going on. The first overview per year is free.

What to do in case of identity theft

If you discover that someone is misusing your identity, this is your step-by-step plan:

Step 1: File a report with the police

1. Go to the nearest police station or call 0900-8844
2. File a report of identity fraud — explicitly request an official record (proces-verbaal)
3. Keep your report number safe — you will need it for every subsequent step
4. Ask the police for a Declaration of Identity Fraud Report

Step 2: Alert your bank

1. Call your bank's fraud department immediately
2. Have suspicious transactions blocked
3. Request new bank cards and possibly a new account number
4. Send the bank a copy of your report

Step 3: Report it to the Fraud Helpdesk

1. Call 088-786 73 72 or go to fraudehelpdesk.nl
2. They will register the fraud and can advise on next steps

Step 4: Check and secure your DigiD

1. Log in at digid.nl and check your login history
2. Change your password
3. Enable the DigiD app as extra verification if you have not already done so
4. Check that your phone number and email address are still correct

Step 5: Inform lenders

1. Contact the BKR and report the fraud
2. Write to companies where fraudulent agreements were made in your name, including a copy of your report

Step 6: Document everything

Create a folder with all correspondence. Note dates, names and reference numbers. Keep everything for at least five years.

Prevention: share less, less risk

The best protection against identity theft is simple: share as few details as possible.

Practical tips

1. Only fill in mandatory fields when registering online — everything with an asterisk (*), leave the rest blank
2. Use a separate email address for newsletters and registrations at online shops
3. Delete old accounts you no longer use — every account is a potential leak
4. Google yourself regularly and see what can be found about you
5. Shred post containing personal data before throwing it away
6. Do not respond to requests for data via email, SMS or phone — contact the organisation yourself using the official number
7. Use the KopieID app for every copy of your identity document
8. Store physical documents containing sensitive data in a locked cabinet or safe

Tip: With every registration, ask yourself: does this company really need to know my date of birth? My address? My phone number? Often the answer is no.

Data breach notification obligation: what can you expect?

Since the introduction of the GDPR (the European privacy law), organisations are required to report serious data breaches to the Dutch Data Protection Authority (AP). And if the breach poses a high risk to you, they must also notify you personally.

What organisations must do

Obligation	Deadline
Notification to the Dutch Data Protection Authority	Within 72 hours of discovery
Notification to affected individuals (in case of high risk)	As soon as possible
Maintaining documentation of the breach	Ongoing

What you can expect when you are notified

A good notification contains: what happened, which data was leaked, what the organisation has done to close the breach, what you can do to protect yourself, and a contact person for questions.

What if an organisation does not report it?

If you suspect an organisation is concealing a data breach, you can file a report yourself with the Dutch Data Protection Authority via autoriteitpersoonsgegevens.nl. The AP can conduct an investigation and impose fines running into the millions.

Do this today

Below is your checklist. No excuses — these are the things you can arrange today:

• Check your email addresses at haveibeenpwned.com and sign up for notifications
• Change passwords of accounts that appear in data breaches
• Download the KopieID app on your phone
• Check your BKR registration at mijnbkr.nl
• Check your DigiD login history at digid.nl
• Google your own name and see what can be found about you online
• Delete at least three old online accounts you no longer use
• Save the Fraud Helpdesk number in your phone: 088-786 73 72
• Store your identity document and documents containing BSN in a safe place
• Agree with your housemates: we never give out our BSN via phone or email

Remember: You cannot prevent an organisation from being hacked. But you can ensure you are as little affected as possible when it happens. Share less, check more often, and know what to do when things go wrong.

← Previous Children and the Internet Next → When Things Go Wrong: First Aid for Hacks