Municipality of Epe Data Breach Impacts Nearly All Residents via ClickFix Attack
Learn More
The Municipality of Epe, located in the Netherlands, reported a data breach on March 12, 2024, affecting nearly all of its 32,000 residents. Around 552,000 files were stolen from a municipal server used to process citizen requests and formal objections.
Attackers gained access to the municipal network using a social engineering tactic known as "ClickFix." This method uses fake browser or system error messages to trick employees into clicking malicious links that allow hackers to bypass security controls. The breach targeted a server used by staff hired before 2022 to store files before they were moved into the primary municipal database.
The compromised data includes:
- Full names and genders
- Home addresses
- Dates, places, and countries of birth
- Citizen Service Numbers (BSN)
- Bank account numbers
- Contact details including email addresses and phone numbers
- Copies of over 1,000 valid identity documents (passports and driver's licenses)
The municipality has notified the Dutch Data Protection Authority and local law enforcement to investigate.
The municipality isolated the compromised server and forced a password reset for all staff members to contain the incident. To mitigate the risk of identity fraud, Epe is providing free replacements for passports, ID cards, and driver's licenses to the 1,000 residents whose document copies were stolen. Officials are working with cybersecurity experts to monitor dark web forums for any publication of the stolen files.
