Secrets of 114,000 Data Breaches: Insights from the Dutch Data Protection Authority

Estimated read time 3 min read

This article is a recap of an interview originally conducted by with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, AP). The interview delves into the insights we can draw from over 114,000 reported data breaches in the Netherlands in the past five years.

A Snapshot of Data Breaches

Data breaches occur daily, often due to mishaps in sending post and email. Dennis Davrados, the Data Breach Coordinator at the AP, highlights that breaches also occur when data that should have been deleted leaks, or when basic security measures are not in place.

Interestingly, most data breach reports to the AP come in on Thursdays and Fridays. Davrados explains, “People make mistakes on Monday and Tuesday, and due to the 72-hour rule, the data breach is reported later in the week.”

The Main Culprit: Postal Errors

A significant cause of data breaches is errors in sending post. Of the 114,000 data breach reports since 2018, nearly 88,000 fall into the category of “Letter or parcel with personal data received opened, lost, or sent or delivered to the wrong recipient(s).” Thousands of data breaches also resulted from the misuse of the CC option instead of BCC in emails.

The Human Factor

Davrados emphasizes the role of the human factor in data breaches. He suggests that organizations should continually seek smart solutions to prevent data breaches and minimize human error in processes.

IT Suppliers and Data Theft

Data breaches are increasingly resulting from cyberattacks. In 2021, there were more than 1,800 such incidents. Davrados notes two trends in this category: the involvement of IT suppliers in data breaches and data theft in ransomware attacks.

Reporting Data Breaches

Another area of concern is the reporting of data breaches to the victims. Davrados notes that organizations often inform victims, but not in a way that is helpful. He stresses the importance of providing victims with useful information to enhance their digital resilience.

Fines and Penalties

In cases of GDPR violations, the AP can impose fines. However, Davrados notes that the focus is primarily on ending the violation and ensuring that organizations adequately secure their systems.

Data Breach Fatigue

With the daily stream of data breaches, there is a risk of fatigue among victims. Davrados emphasizes the importance of privacy and the severe consequences of becoming a victim of identity fraud.

Sharpening Security

The AP calls on organizations to tighten their security. Davrados points out that organizations often drop the ball in the IT field, leading to breaches. He also highlights the importance of data minimization to reduce the impact of a data breach.

Netherlands Cybersecurity outlook 2023

The Netherlands has always been at the forefront of digital innovation, and with this comes the inevitable challenge of cybersecurity. The 2023 threat landscape report provides an overview of the current cyber threats faced by Dutch society and government.

The lessons from the 114,000 data breaches are clear: organizations must improve their security measures, minimize data, and enhance their reporting to victims.

  • Read the official interview at (Dutch)
Reza Rafati

Reza Rafati, based in the Netherlands, is the founder of An industry professional providing insightful commentary on infosec, cybercrime, cyberwar, and threat intelligence, Reza dedicates his work to bolster digital defenses and promote cyber awareness.

You May Also Like

More From Author