Nearly All Epe Residents Exposed in March 12 Data Breach, 552,000 Files Stolen

The municipality of Epe reported that attackers infiltrated its systems on March 12 using a fake error message that prompted victims to click a malicious link. This ClickFix technique granted the threat actors access to internal files containing names, addresses, birth dates, gender, BSN numbers, and, for some residents, contact details, bank account information, and ID copies. Login credentials for DigiD were not stored by the municipality and therefore remained unaffected.

- The breach affected virtually the entire resident population of Epe. - Approximately 552,000 files were exfiltrated, according to the municipal investigation. - Affected residents can request a replacement ID at no cost. - The municipality has notified the Dutch Data Protection Authority and local police, changed staff passwords, and added security controls.

Exposure of BSN numbers and financial details heightens the risk of identity theft, fraudulent loans, and targeted phishing campaigns. While no evidence of data publication has emerged, the stolen information could be used for credential stuffing or sold on underground markets. Organizations that rely on similar municipal data stores should review their exposure to social‑engineering vectors.

- Deploy email and web filters that block known malicious domains and detect fake error‑message patterns (MITRE ATT&CK T1566.002). - Conduct regular user‑training sessions focused on recognizing unsolicited prompts and verifying links before clicking. - Enforce multi‑factor authentication on all internal applications, especially those handling personal data. - Apply the principle of least privilege; segment file servers so that a compromised workstation cannot access broad repositories. - Monitor for anomalous file access or large data transfers using SIEM rules aligned with MITRE ATT&CK T1041 (Exfiltration Over C2 Channel). - Review and patch any publicly exposed services; although no CVE was cited in this incident, keeping software current reduces the attack surface.