Identity fraud surges in Netherlands as social media and sex sites demand passport scans

Identity fraud is rising sharply in the Netherlands as social media platforms, sex sites, and travel apps increasingly demand scans of passports and ID cards—often when not required by law—exposing millions of sensitive documents and potential government access to hackers.

In 2025, platforms including Airbnb, Tinder, LinkedIn, Ryanair, Instagram, Facebook, Pornhub, and OnlyFans collected billions of copies of identity documents, up dramatically from just a few thousand in 2024, according to company reports cited by De Telegraaf. Instagram, TikTok, and X also ask for scans from time to time.

Tinder and LinkedIn reportedly use them to fight AI-generated fake profiles, awarding verified users a blue checkmark. Airbnb introduced mandatory checks after problems in rental properties. Many platforms face growing pressure under the EU’s Digital Services Act to strengthen age verification beyond simple self-reported birth dates.

Dutch anti-money laundering and gambling laws legally only require banks, insurers, crypto platforms, and gambling sites to perform such checks. Most others do so voluntarily.

Many services, including LinkedIn, Ryanair, Airbnb, and Roblox, route verifications through the U.S. firm Persona. Its privacy policy allows the sharing of passport data and other sensitive information with third parties inside and outside Europe.

Privacy expert Brenno de Winter warned that a database of passport records is “the jackpot” for both hackers and the U.S. government, which can compel access under laws such as the Cloud Act. A security breach at Persona last week temporarily exposed all its data. Multiple other major companies have suffered recent leaks.

The surge in ID requests, combined with data breaches, has fueled identity fraud, according to De Telegraaf. The Central Reporting Point for Identity Fraud logged 3,373 cases in 2025 involving ID sharing, up from 2,208 in 2024. Numbers are accelerating in 2026, rising from 326 reports in January to 1,350 in April.

Criminals reportedly use the copies to open bank accounts, take out phone subscriptions, apply for credit cards, and make purchases in victims’ names, often leaving them in heavy debt.

Privacy and technology lawyer Stephan Mulders of Blenheim said the practice pits security against privacy. “Verification can help combat abuses and fake profiles, but it brings very significant privacy risks with it. In data breaches, sensitive data can end up on the street, as happened with the Oido leak.” He strongly advises against sharing passport or ID scans when asked by tech companies.

The European Commission is urging member states to adopt its EU age-verification app by year’s end. The app scans an ID once, records only the user’s age, and then serves as proof for age-restricted activities such as buying alcohol or accessing adult content. The Commission says it meets the world’s highest privacy standards but is not making its use mandatory.

The Dutch Data Protection Authority says social media platforms may demand an ID copy only when there is a justified reason to doubt a user’s identity, such as suspicious account activity.

The authority recommends always asking why the copy is needed, contacting the company’s data protection officer, and requesting alternative verification methods. If a copy is unavoidable, users should black out their citizen service number and other unnecessary details.