Epe Cyberattack Exposes Personal Data of Nearly All 32,000 Residents

A recent cyberattack targeted a council server in Epe, Netherlands, resulting in the compromise of personal data for nearly all of the town's 32,000 residents. The incident, confirmed by local authorities, represents a significant breach of public trust and data security for the municipality.

Attackers stole names, addresses, dates of birth, places of birth, and citizen service numbers (BSN) for most residents. Contact details and bank account numbers were also compromised for some individuals. Critically, at least 1,000 identity document copies, such as passports and ID cards, were among the stolen files. Epe's Mayor Tom Horn emphasized the severity, stating, "People call it a leak, but it is theft," underscoring the criminal nature of the breach.

The compromised server specifically handled documents submitted by residents for applications and objections since 2022, serving as an intermediary before data moved into the main municipal system. Council officials confirmed no DigiD login details or passwords were breached. No ransom demands have been made, nor has the stolen data appeared on the dark web to date. Law enforcement has launched an investigation into the incident.

This incident underscores critical lessons for any organization handling sensitive public data. Implementing robust access controls, ensuring secure configuration of public-facing servers, and performing regular security audits are foundational steps. Organizations must also prioritize data minimization, retaining only necessary data for specified periods, and encrypting sensitive information both in transit and at rest. Regular patching schedules and a clear incident response plan are essential to mitigate similar risks.

Organizations should review their external-facing data collection systems, recognizing them as high-value targets for threat actors. The ongoing investigation will determine the precise attack vector, offering further insights for defensive strategies.