Changing BSN in the Netherlands – Facts & Cybersecurity Advice

Introduction: concerns following data breaches in the Netherlands

The recent data breach at Bevolkingsonderzoek Nederland once again demonstrated how vulnerable personal data can be. Citizens asked en masse whether they could have their citizen service number (BSN) changed to prevent identity fraud. However, the answer from the Rijksdienst voor Identiteitsgegevens (RvIG) is clear: changing a BSN is not possible.

This raises questions: what does this mean for citizens and businesses? How great is the risk in the event of a data breach? And what preventive measures can you take to prevent data misuse? In this blog, we explain the situation and why proactive cybersecurity is essential for Dutch organizations.

Microsoft 365 Challenges for SMBs

What is a BSN and why can’t you change it?

The BSN is a personal number used by the government, health care institutions and companies to exchange data. It is an information-less number: with only a BSN, criminals cannot take out loans or apply for benefits. That always requires additional verifications, such as DigiD or a valid ID.

Changing a BSN sounds logical in a data breach, but in practice it would have huge consequences:

All government organizations as well as private parties should reconnect files.
This process is error-prone and hardly feasible on a large scale.
For citizens themselves, it would create a lot of confusion and risk of mismatches.

Therefore, it is not legally or technically possible to change a BSN.

The real problem: identity fraud and cyber attacks

While a BSN by itself is not enough to commit fraud, we are seeing data breaches increasingly combined with other stolen data. Consider:

Phishing emails in which DigiD login credentials are captured.
Bank account numbers known through previous hacks.
Data from healthcare or educational institutions that are merged.

In that context, a BSN can be valuable to criminals. So the risk is not in the BSN itself, but in the chain of data breaches.

How can Dutch companies and citizens protect themselves?

The Central Identity Fraud Disclosure Office (CMI) advises vigilance for suspicious messages. But for companies, this is only part of the solution.

At ALTA-ICT, we implement cybersecurity strategies that do work:
– ISO27001-certified protection of personal data
– 24/7 monitoring & threat detection to prevent data breaches
– AVG and NEN7510 compliance for healthcare and government
– Awareness training so employees recognize phishing faster

ROI: why investing in cybersecurity pays off

A data breach costs Dutch organizations an average of €150 per leaked record (source: IBM Cost of Data Breach Report 2025). For an SME organization with 10,000 customer records, that can add up to €1.5 million in direct and indirect damages.

In return, investments in:

Preventive monitoring
Incident response plans
Compliance audits

That cost is only a fraction of the damage a leak can cause.

Conclusion: changing BSN is not possible – strengthening security is.

Changing a BSN is not a solution against identity fraud. The real solution lies in proactive cybersecurity and strengthening digital resilience.

👉 Want to know how your organization can better protect BSN and customer data?
Schedule a free ICT consultation with ALTA-ICT today: alta-ict.co.uk/free-consultation