Cyber Attack on Municipality of Epe Exposes Personal Data of Almost All Residents, Including Thousands of ID Documents

The municipality of Epe in Gelderland has confirmed that a cyber attack in March resulted in the theft of personal data belonging to virtually all of its residents. The scale of the breach, revealed after a six-week investigation, makes it one of the most serious municipal data incidents in the Netherlands in recent years. The burgemeester called it not a leak, but outright theft.

Rentals in the Netherlands

Signaal tracks the Dutch rental market and notifies you the moment something matches your search. Be first to apply.

What happened

The attack used ClickFix, a relatively new social engineering technique in which users are tricked into executing malicious commands themselves. In this case, a municipal employee was shown a fake CAPTCHA — the kind of puzzle used to prove you are not a robot. The instructions told the employee they could fix a problem by copying and pasting a command, which in reality installed malware and gave the attackers access to the system.

The attackers made off with more than 800 gigabytes of data — around 600,000 files — from an internal file server. That server was used only by staff who joined before 2022, and functioned as a staging area where documents submitted by residents — such as objections or permit applications — were collected before being entered into the main municipal systems.

What was stolen

The investigation found that from almost all residents, the following data was taken: name, address, gender, date of birth, place and country of birth, and BSN citizen service number. From a portion of residents, additional data was also stolen, including contact details, bank account numbers and copies of identity documents. More than 1,000 residents had a valid identity document copied.

DigiD usernames and passwords were not compromised. The municipality also does not hold consolidated contact lists with email addresses and phone numbers in a single file, which the attackers were looking for. Those details may however appear in individual stolen documents.

Identity documents to be replaced for free

For the roughly 1,000 residents whose identity documents were copied, the municipality is offering free replacements of their driving licence, ID card and passport to reduce the risk of identity fraud. Burgemeester Tom Horn said: "With those documents criminals can do a lot. You could, for example, rent a car abroad in someone else's name." Those residents will receive a separate letter no later than 8 May.

All other residents in Epe will shortly receive a letter from the municipality explaining what happened and what they can do to guard against misuse of their data.

What the burgemeester said

Burgemeester Tom Horn was direct in his assessment of what occurred: "People call it a leak, but it is theft. As a municipality we have a duty to look after citizens' data and we take that seriously. Unfortunately it still went wrong."

The status of the stolen data

The stolen data has not yet appeared on the dark web. The municipality says it has not been approached for a ransom. Police are investigating, but the identity of those responsible is not yet known. Passwords were changed across all staff accounts and systems were further secured following the attack.

The Epe breach is the latest in a string of significant Dutch data incidents in 2026, following the Odido breach in February affecting 6.2 million people, the Basic-Fit hack in April, and the Rituals breach disclosed this week.