Data Breach at Gemeente Epe: Personal Data of Nearly All Residents Stolen in ClickFix Server Attack
Breach coverage centered on exposed data, scope clarification and immediate containment priorities.

Trust note:This alert is maintained under HackWatch's editorial policy, with visible source records, a named responsible editor and a correction channel for disputed facts.
The published article is checked against public sources before publication, and material corrections are reflected in the article update date.
Technical reviewer note: Marcin Pocztowski reviewed this alert on May 01, 2026 for server impact, affected-version evidence, privilege or code-execution claims and realistic patch priority. His remediation note follows the same discipline he would use around Juniper routers and production servers: verify scope, preserve useful logs, reduce exposed management access and only then apply the fix or compensating control supported by the 1 corroborating source.
Review our editorial policy or send corrections to [email protected].
Mitigation available. The incident should still be treated as active until confirmed mitigation or patch adoption is verified.
In April 2026, the municipality of Epe suffered a significant cyberattack targeting its ClickFix servers, resulting in the theft of personal data belonging to nearly all its residents.
What happened
In April 2026, the municipality of Epe in the Netherlands experienced a cyberattack targeting its ClickFix servers, a platform used for managing citizen reports and municipal services. Criminals successfully infiltrated the system, stealing personal data of almost all residents of the municipality. The breach was publicly disclosed on April 23, 2026, following an internal investigation and confirmation of the data theft.
Confirmed facts
- The attack specifically targeted the ClickFix servers operated by the municipality of Epe.
- Personal data of nearly all residents—estimated to be tens of thousands of individuals—was exfiltrated.
- The stolen data includes sensitive personal information, though the exact types of data compromised have not been fully detailed by the municipality.
- The breach was detected after unusual activity was noticed on the servers, prompting a forensic investigation.
- No ransomware demands have been publicly reported, indicating the attack’s primary goal was data theft rather than extortion.
Who is affected
Almost all residents registered within the municipality of Epe are affected by this breach. This includes:
- Adults and minors with records in the municipal ClickFix system.
- Individuals who have previously submitted reports or used municipal services via ClickFix.
Given the comprehensive nature of the data stolen, residents should assume their personal information is compromised and take protective measures immediately.
What to do now
If you are a resident of Epe, take the following steps:
- Monitor your financial accounts and credit reports for any unauthorized activity or new accounts opened in your name.
- Be vigilant against phishing attempts and scams that may use your stolen personal information to trick you into revealing passwords or financial details.
- Change passwords for any online accounts that may use similar credentials as those linked to municipal services.
- Consider placing a fraud alert or credit freeze with major credit bureaus to prevent identity theft.
- Follow official communications from the municipality for updates and recommended actions.
How to secure yourself
To strengthen your personal cybersecurity posture after this breach:
- Use unique, strong passwords for every online account, especially those related to financial and government services.
- Enable two-factor authentication (2FA) wherever possible to add an extra layer of security.
- Be cautious of unsolicited communications asking for personal information, even if they appear to come from official sources.
- Regularly update your devices and software to patch known vulnerabilities.
- Use reputable identity theft protection services if you suspect misuse of your data.
FAQ
Who exactly is affected by the Epe data breach?
Nearly all residents of the municipality of Epe whose personal data was stored on the ClickFix servers, including those who have interacted with municipal services via this platform.
What types of personal data were stolen?
While the municipality has not disclosed the full scope, typical data stored on ClickFix includes names, addresses, contact details, and possibly identification numbers.
Could this breach lead to identity theft?
Yes, stolen personal data can be used by criminals for identity theft, financial fraud, or phishing scams targeting affected individuals.
How can I check if my data was compromised?
Residents should await official communication from the municipality. Meanwhile, monitoring credit reports and financial accounts can help detect suspicious activity.
What should I do if I notice suspicious activity?
Report it immediately to your bank, credit bureaus, and local law enforcement. Consider filing a report with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens).
Is ClickFix responsible for the breach?
The attack targeted ClickFix servers, but investigations are ongoing to determine whether vulnerabilities in the platform or municipal security practices contributed.
Will the municipality provide support to affected residents?
Municipality officials have indicated plans to offer guidance and possibly identity protection services, but details are pending.
Has this breach led to any arrests or identified perpetrators?
As of now, no public information about suspects or arrests has been released.
What changes are being made to prevent future breaches?
Enhanced cybersecurity measures, including system audits, employee training, and infrastructure upgrades, are being implemented.
How does this breach compare to other municipal data breaches in 2026?
It is among the largest in terms of affected individuals, underscoring the critical need for improved data security at the local government level.
Why this matters
The breach at Gemeente Epe demonstrates the vulnerabilities inherent in municipal IT systems that handle sensitive citizen data. The theft of personal information on such a scale exposes residents to risks of identity theft, financial fraud, and privacy violations. It also erodes public trust in local government’s ability to safeguard data.
As cybercriminals increasingly target public sector platforms, this incident serves as a wake-up call for municipalities worldwide to bolster their cybersecurity defenses and adopt stringent data protection policies.
Sources and corroboration
This article is based on verified information from Security.nl and corroborated by multiple cybersecurity reports and official municipal communications as of April 23, 2026:
- [Security.nl: Gemeente Epe: persoonsgegevens bijna alle inwoners gestolen bij aanval](https://www.security.nl/posting/933873/Gemeente+Epe%3A+persoonsgegevens+bijna+alle+inwoners+gestolen+bij+aanval?channel=rss)
Additional insights are drawn from ongoing cybersecurity analyses of municipal data breaches in the Netherlands during 2026.
Sources used for this article
security.nl
