Data breaches in the Netherlands: paper is the biggest cause
Ask any business owner where a data breach comes from and the answer is almost always the same: hackers. Yet that picture does not match the figures. The Dutch Data Protection Authority (Autoriteit Persoonsgegevens, AP) tracks how many data breaches are reported and what causes them. Those public reports lead to a surprising conclusion. The biggest cause of data breaches in the Netherlands is not a cyberattack, but paper. A misdelivered letter, a lost file, a stack of old paper left out on the street. This article analyses those figures and shows what you can do about it.
The figures nobody expects
Across all of 2024, the Autoriteit Persoonsgegevens received 37,839 data breach reports. A year later that number rose further. Behind that total sits a breakdown that runs counter to gut feeling. When the AP looks at the cause of data breaches reported by companies and organisations, about 41 percent of cases involve a letter or parcel containing personal data. Misdelivered, lost or returned unopened. That is by far the most reported category, and it has been that way for years.
For comparison: email sent to the wrong recipient accounts for about 18 percent. The category everyone thinks of, the cyberattack by a hacker, is responsible for about 5 percent of the reports. Paper and post together are therefore many times larger than the cyber picture that makes the headlines.
Source: Autoriteit Persoonsgegevens, data breach report first half of 2024. Percentages rounded. The other causes category bundles, among other things, verbal disclosure and lost equipment.
What the figures say exactly, and what they do not
Honesty is in order here, because it is easy to overstate figures. The 41 percent category is about a letter or parcel with personal data ending up in the wrong place. That is not the same as improperly destroyed paper. A large part of these reports arises in the post. A policy sent to the previous occupant, a letter with the wrong address on the envelope, a parcel that gets lost with the courier. Document destruction does not prevent such a misdelivery.
What the figures do show is a broader pattern. Physical personal data on paper is the dominant source of data breaches in the Netherlands. Not the dramatic kind, but the dull kind. Human actions with documents, not code. Within that broad pattern there is a part you have entirely in your own hands. Paper you no longer need, but which keeps lying around or disappears unsecured with the recycling. That is the avoidable corner of the problem, and the rest of this article is about it.
Why paper is the blind spot
Almost every organisation has put money into digital security in recent years. Firewalls, password policies, phishing training. Rightly so, because a cyberattack can hit hundreds or even more than a million people in one blow. But while the attention went to the screen, the archive cabinet stayed out of view. That is where the binders of payslips sit, the boxes of old client files, the bin of documents that should really have gone already.
That blind spot is understandable. A digital breach feels modern and threatening. A stack of paper feels harmless. Yet that paper is often accessible for years to anyone who walks past, far longer than an attacker sits in a network. A move, a renovation, an employee who leaves. Every moment boxes are shifted is a moment paper can end up on the street. The AP figures show this is not theory, but the most reported practice.
If you recognise this risk in your own archive, read on in 6 signs your archive is a GDPR risk.
What destruction does and does not solve
It is tempting to say now that document destruction solves the data breach problem. That would not be honest. Destruction does not prevent a letter from being misdelivered and does not prevent an email from going to the wrong person. What destruction does do is remove a concrete and avoidable source: paper you no longer need.
Think of the client administration whose retention period has passed, the personnel files of people who left years ago, the job applications you should never have kept. As long as that paper exists, it is a potential breach. Once it is demonstrably destroyed, the risk is gone. Not moved to another cabinet, but really gone. That is the sober gain. You shrink the pile that could one day become a report.
There is a second reason. If something goes wrong despite everything, you must be able to demonstrate that you handle data carefully. A certificate of destruction is your proof of that. It shows that the paper was destroyed at the right level and when. That is the difference between being demonstrably in control and having nothing to show afterwards. More on that burden of proof is in demonstrable destruction for the GDPR.
Self-check: how vulnerable is your paper flow?
The AP figures cover the whole of the Netherlands. The question that counts is what your own situation looks like. Run through these points.
- Do you know which paper is past its retention period? Anything kept too long is unnecessary risk.
- Is there a box of old files somewhere with no clear destination? That is exactly the pile that gets lost in a move.
- Does confidential paper ever end up with the ordinary recycling at your place? An open paper bin stands on the street for days.
- Do you get proof when paper is destroyed? Without a certificate you can demonstrate nothing afterwards.
- Do you know who has access to your physical archive? Access without oversight is a breach in the making.
If you hesitate on one or more points, that is where your vulnerability lies. A first clear-out brings the pile down straight away. How to tackle that is in the step-by-step plan to clear out your archive, and for smaller administration in clearing out old paperwork.
What it costs to remove that pile
Having paper destroyed confidentially is not a big investment. You pay a fixed price per box or roll container, from about 30 euro for the first box. The certificate is included. Within 20 km of Amsterdam we charge no call-out fee. Through pooled routes a fixed price is possible nationwide too. A one-off clear-out of years of accumulated paper can thus be handled in one go. Set against the costs and reputational damage of a data breach, that is a small price for a risk you remove entirely.
A real-world example
An advisory firm discovers, during a move, a room full of boxes of old client files. Nobody knows exactly what is in them anymore. The contents turn out to be years past the retention period. In the old premises the boxes stood open and accessible to cleaners, visitors and temporary staff. Exactly the kind of situation where a data breach arises. The firm has the boxes collected sealed and destroyed at the right level, and records the certificates in the record of processing. The vulnerable pile is gone, the proof is there, and at the next inspection it takes a few minutes to show that the paper was demonstrably cleared out.
Remove the pile of sensitive paper?
Tell us how many boxes or binders are past their retention period and you get a fixed price. We collect it sealed, destroy it to the right DIN level and you receive a certificate as proof for your GDPR file. No call-out fee within 20 km of Amsterdam.
Request a quoteFrequently asked questions
What is the biggest cause of data breaches in the Netherlands?
According to the Autoriteit Persoonsgegevens, about 41 percent of the data breach reports by organisations involve a letter or parcel with personal data that was misdelivered, lost or returned unopened. Paper and post are therefore the most reported cause, well above cyberattacks.
Are hackers not the main cause of data breaches?
Not in number. Cyberattacks are about 5 percent of the reports. They do often affect far more people per incident and the impact is large. In pure numbers, human errors with paper and email are far more common.
Does document destruction solve the data breach problem?
Not entirely. Destruction does not prevent a letter from being misdelivered. It does remove a concrete, avoidable source: paper that lies around too long or is thrown out unsecured. Demonstrable destruction takes that pile out of your risk.
Where do these figures come from?
From the public data breach reports of the Autoriteit Persoonsgegevens. The AP publishes the number of reports and the main causes every year. The percentages in this article come from those reports and can be checked on the AP website.
What can my organisation do right away?
Map your paper flow, check retention periods and have documents that may go destroyed confidentially with a certificate. That way you shrink the pile of sensitive paper that could become a data breach. A more extensive approach for SMEs is in GDPR and document destruction, what SMEs must do.
Conclusion
The idea that data breaches are mainly the work of hackers does not match the Dutch figures. The Autoriteit Persoonsgegevens shows year after year that paper and post are the most reported cause, far above the cyberattack. Part of that happens in the post and is hard to prevent. But another part is entirely in your own hands. Paper that is past its retention period and yet keeps lying around is a breach waiting to happen. Map your paper flow, check the periods and have what may go demonstrably destroyed. That way you remove the dullest but biggest cause of data breaches at your own end.
See also: do you know what to do if it does go wrong? Then follow the step-by-step plan to report a data breach within 72 hours. Then go deeper with 6 signs your archive is a GDPR risk and demonstrable destruction for the GDPR.
Remove the biggest cause at your own end? Request a quote via desnipperaar.nl or first read how the certificate of destruction forms your proof. We collect the sensitive paper sealed.