The Dutch municipality of Epe has confirmed that hackers stole personal data belonging to nearly all 32,000 residents in a cyberattack on a council server last month. Names, addresses, dates of birth, places of birth, and citizen service (BSN) numbers were exfiltrated for almost the entire population, alongside contact details, bank account numbers, and copies of at least 1,000 identity documents for a subset of residents. Mayor Tom Horn confirmed the breach to broadcaster NOS, and police are actively investigating.

What Happened

Local authorities in Epe, a town in the Dutch province of Gelderland, disclosed that an attacker compromised a council-operated server used to collect documents submitted by residents. The server had been in operation since 2022 as an intake point for applications, objections, and other citizen submissions before data was moved into the municipality's main system. The breach occurred last month and was confirmed publicly this week. As of disclosure, no ransom demand has been made and the stolen dataset has not surfaced on dark web marketplaces or leak sites being monitored by investigators.

Mayor Tom Horn framed the incident in unambiguous terms, telling NOS: "People call it a leak, but it is theft." He acknowledged the council's failure to safeguard the data, calling the breach a serious crime. The municipality is now offering free replacements of passports, ID cards, and driving licences to affected residents, with separate notifications going to those whose ID document copies were taken by 8 May.

What Was Taken

The scope of the data theft is extensive given the size of the affected community. The following data categories were confirmed stolen:

Notably, the council confirmed that no DigiD login credentials or passwords were taken. DigiD is the Netherlands' national digital identity authentication system, and its exclusion from the breach limits the immediate account takeover risk against government services.

Why It Matters

BSN numbers are the linchpin of Dutch civil identity. Combined with names, addresses, and dates of birth, the stolen dataset provides everything required for high-fidelity identity fraud, synthetic identity creation, and targeted social engineering against residents, banks, and government agencies. The 1,000 stolen ID document copies elevate the risk further, enabling attackers to bypass remote KYC checks at financial institutions and crypto exchanges.

The Epe breach also fits into a pattern of large-scale Dutch data compromises in 2026. In recent weeks, Booking.com disclosed a reservation data breach, medical software vendor Chipsoft confirmed a ransomware-driven patient data theft, and a mass claim was filed against telecoms provider Odido following its February breach exposing 6.2 million records. The cumulative effect is a Dutch population whose personally identifiable information is increasingly correlatable across multiple stolen datasets, sharply lowering the cost and increasing the success rate of downstream fraud campaigns.

For municipal IT defenders across Europe, the incident is a reminder that intake and submission systems often hold unstructured citizen data at the highest sensitivity tier, yet typically receive less hardening than core record-of-truth systems.

The Attack Technique

The municipality has not publicly disclosed the initial access vector, the threat actor's identity, or the malware family involved. Investigators have not attributed the intrusion to a known ransomware crew, and the absence of a ransom demand or leak site posting suggests one of several possibilities: a financially motivated actor who intends to monetize the data privately on criminal markets, a state-aligned actor harvesting bulk PII for downstream operations, or an opportunistic intrusion whose operator has not yet decided how to monetize.

The compromised asset, a document intake server operational since 2022, is a common architectural weak point. Such systems frequently aggregate sensitive submissions in a staging area before transfer to hardened back-end systems, creating a high-value, lower-defended target. Without further technical detail from the council or police, the specific exploit chain remains unconfirmed.

What Organizations Should Do

Municipal and public-sector defenders should treat this incident as a prompt to audit citizen-facing intake infrastructure:

  1. Inventory all document intake and staging systems. Identify any server that holds resident or customer submissions before transfer to systems of record. These intermediate stores often retain data far longer than intended and are frequently excluded from primary hardening programs.
  2. Enforce short retention windows on staging systems. Documents submitted by residents should be moved into the main system and purged from intake servers within defined SLAs. Do not let intake systems become long-term repositories.
  3. Encrypt sensitive PII at rest with managed keys. BSN numbers, ID document scans, and bank account data should be encrypted with keys held outside the application server, limiting the impact of server-level compromise.
  4. Segment intake systems from the broader council network. Treat them as a semi-trusted DMZ, with strict egress controls to prevent bulk exfiltration.
  5. Deploy data loss prevention and egress anomaly detection capable of flagging large outbound transfers from systems that should only receive inbound submissions.
  6. Prepare a citizen notification and identity remediation playbook in advance. Epe's offer of free passport, ID card, and driving licence replacement is the right response, but breaches of this scale demand a pre-built communications and remediation workflow rather than ad hoc execution.

Sources: Hackers steal personal data of nearly all Epe residents - DutchNews.nl