Dutch town Epe suffers massive data breach exposing nearly all residents' personal info

A recent cyberattack on the Dutch town of Epe's council server compromised personal data for nearly all 32,000 residents. This extensive breach involved the theft of sensitive information, including copies of over 1,000 identity documents.

The incident involved a server used by the Epe town council since 2022. This system processed resident submissions, such as applications and objections, before data moved to core systems. Attackers gained unauthorized access, stealing a wide array of personal identifiers.

This data includes names, addresses, dates and places of birth, and citizen service numbers (BSN) for most of Epe’s population. For a subset of residents, the breach also exposed contact details and bank account numbers. Critically, copies of at least 1,000 identity documents, such as passports and ID cards, were among the stolen files. The council confirmed that no DigiD login details or passwords were compromised.

Epe's Mayor Tom Horn characterized the incident as theft, not merely a leak, describing it as a serious crime. Police have initiated an investigation into the attack. No ransom demand has been reported, and the stolen data has not yet appeared on dark web marketplaces.

The council has offered free replacements for passports, ID cards, and driving licenses to affected individuals. Residents whose identity document copies were taken will receive direct notification by May 8.

This incident highlights the persistent threat posed by cyberattacks targeting public sector entities. Organizations must prioritize robust security practices for systems handling sensitive citizen data, particularly those acting as temporary storage before integration into core systems.

Defenders should implement multi-factor authentication, regular security audits, and data encryption for data at rest and in transit. Continuous employee training on phishing prevention and secure data handling practices remains critical. Additionally, establishing clear data retention policies helps minimize the volume of sensitive information exposed during a breach.

For residents, immediate action includes monitoring bank statements and credit reports for suspicious activity. Replacing compromised identity documents is advisable. The Epe breach follows other significant cyber incidents in the Netherlands this year, including attacks on Booking.com, Chipsoft, and Odido, signaling a heightened threat landscape for Dutch organizations. Watching how law enforcement progresses with attribution and whether the stolen data surfaces will be key next steps.