Understanding the far-reaching impact of large-scale data breaches

Recently, cases in the public sphere have drawn significant attention due to the nature of the compromised sensitive records and personal identifiers like names, birthdates, and BSN numbers. This combination of personal information and identifiers can build a comprehensive profile, offering fraudsters plenty of opportunities to mislead individuals or organisations in a sophisticated and targeted manner. The Dutch ‘burgerservicenummer’ (BSN) in particular, used as a one-off unique identifier crucial for citizen-government interactions, holds considerable weight in interactions and when misused, becomes a powerful tool for fraudsters eager to exploit personal data for illicit gains.

Real life examples highlight the serious privacy, security, and fraud risks that individuals and organisations face. Let's explore two critical risk areas that require your attention. 

Risk of identity theft and/or fraud

Identity theft occurs when personal information is unlawfully used for deception, typically for financial gain. Fraudsters can build realistic profiles to obtain information from individuals or organisations through methods like targeted phishing emails or social engineering that can result in revealing confidential information or performing specific actions. Such activities can have far-reaching impacts, such as financial loss and reputational damage, and may require significant effort to restore your identity and secure affected accounts.

• Example of targeted phishing: A fraudster impersonates your health provider. They send an extremely convincing phishing email, pretending to be a trusted representative. The email mentions data from your file including various personal identifiers and tricks you into revealing sensitive details from your account or files, which is used to access and exploit your account.
• Example of social engineering: A fraudster leverages the combination of your stolen personal details to convince a customer service representative at a telecommunications company that they are you, tricking them into revealing sensitive account details or changing your contact information and password, which then allows the fraudster to take control of your account.

Risk of physical safety, harassment or discrimination

Stigmatization and discrimination arise when individuals are unfairly judged based on personal traits such as ethnicity, health status, or socioeconomic background. Criminals could leverage this sensitive information to blackmail individuals, causing harm to personal and professional lives, emotional distress, and barriers to access services and opportunities.

• Example of extortion/blackmail: Following a data breach, your sensitive personal details is leaked on the Dark Web. A criminal gains access to this sensitive data and contacts you, threatening to release it to your family or workplace unless you pay a ransom.
• Example of harassment/safety: After a data breach, your personal information is leaked online. People in your community or workplace obtain this information and use it to threaten, intimidate, or harass you in real life, putting your physical safety at risk.
• Example of discrimination: An insurance company uses leaked data (e.g., personal identifiers and medical data combined with publicly available information) to develop a profile on you and on that basis decides not to grant you a specific insurance.

What now?

The scope, volume and nature of the recent data breaches deeply highlights the need for individuals and organisations to enhance awareness of risks associated with the misuse of personal identifiers. While a single personal record alone provides limited opportunities for fraudsters, the combination of multiple identifiers significantly expands the potential for exploitation. 

Legal safeguards protect individuals from discrimination, while technical measures like two-factor authentication are rapidly becoming the new standard to prevent unauthorized access to personal information. At the same time, the ability of fraudsters to develop more sophisticated social engineering and phishing tactics is rapidly growing. The increase of open source or leaked information, paired with the rapid growth of AI capabilities only accelerates and formalizes these attempts. Understanding preventative measures becomes paramount.  

Examples of measures individuals can take:

• Share your BSN only when explicitly legally required.
• Mask BSN numbers and other sensitive details on photocopies of identification documents.
• Monitor physical mail and MijnOverheid for unfamiliar letters about new contracts, benefits, or tax related matters.
• Verify your registrations in the Basisregistratie Personen (BRP - the Dutch Personal Records Database) via MijnOverheid (the Dutch government’s secure online portal). 
• Exercise caution when receiving emails indicating changes to personal information. 
• Be mindful of the high risks of phishing (formal institutions such as banks will never ask you to make changes directly via email links). 
• Evaluate the privacy practices and mechanisms of organisations you interact with.
• Strengthen the authentication methods of all your accounts (e.g., Multi-Factor Authentication).
• Use the functionality ‘hide my email address' on Apple devices (for other devices use aliases). 

For those directly impacted by such breaches that suspect the misuse of identity, the Dutch Government has the portals Fraudehelpdesk1 and Centraal Meldpunt Identiteitsfraude (CMI)2 that can provide targeted advice and/or support in connecting the notification to other (government) agencies.  

Examples of security measures for organisations:

Both commercial and government organisations need to stay vigilant, not only with their technical and privacy measures but also in all customer interactions where identity misuse could occur. The previously mentioned risk scenario highlights growing capabilities of fraudsters in employing deceptive tactics and forms of social engineering, making it essential to:

• assess and test security processes and protocols related to social engineering and deceptive tactics;
• implement appropriate controls and measures for identification and authentication; 
• ensure all employees in consumer-facing roles, are thoroughly educated on the risks of identity theft and fraud; and
• monitor and enforce strict compliance with privacy and security protocols at every stage.

The risks posed by data breaches involving sensitive personal data and personal identifiers cannot be overstated. Both individuals and organisations should remain proactive in safeguarding personal information, staying alert to evolving threats, and adopting privacy and security best practices across their business processes.

And when we look beyond social engineering, we also see threats intensifying on a much wider scale: data theft for financial gain, industrial espionage to capture proprietary knowledge and intellectual property for new products and services, and intelligence gathering to support (military) operations. The growing use of AI across these attack vectors amplifies the risk and requires sophisticated security controls to safeguard organisations, their customers and suppliers, and society at large.

By creating awareness of the evolving threats and potential risks and impacts both on an individual level and on a broader scale, we can start to collectively reduce the likelihood of adverse outcomes, such as identity theft and fraud, protecting ourselves and our communities in an increasingly digital world.