In March 2026 the network of the Dutch municipality of Epe was hit by a cyberattack. The breach turned out to be far larger than first thought: personal data on nearly all residents had been stolen — name, address, gender, date and place of birth and the national citizen service number (BSN) — and for around a thousand residents even a copy of their identity document. The incident sharply illustrates what awareness programmes often underplay: not every piece of personal data is equally dangerous. A national ID number and an ID copy are the building blocks of identity fraud.
What happened
The attack was discovered on 12 March 2026. In the days that followed it became clear the scale was far greater than first assumed: not a handful of records, but the data of almost the entire resident register of the municipality.
The most sensitive part involved around a thousand copies of identity documents plus the citizen service numbers of nearly all residents. That is a fundamentally different risk from a leaked email address. A municipality, by its nature, processes the most foundational identity data that exists.
A breach of this kind falls under the GDPR's notification duty: report to the supervisory authority within 72 hours and inform the affected residents. Governments also carry an example function — they hold data that citizens are legally obliged to hand over and cannot change anywhere else.
Why a national ID number and ID copy are so much more dangerous
You can change a password. You can replace an email address. But your national identification number (the BSN in the Netherlands, the NIR in France, the DNI in Spain, and so on) and the photo on your identity document are fixed for life. That is precisely why these are the data criminals want most: they open the door to identity fraud that can echo for years.
With a national ID number plus a copy of an ID, a criminal can impersonate the victim: take out a loan, sign up for a subscription, divert a benefit payment or file fraudulent claims. The victim often only notices when the debt collectors or reminders arrive, and then has to spend months proving it was not them.
For awareness this means 'protect personal data' is too abstract. Staff must learn to distinguish: which data is replaceable and which is irreversible? An ID copy that 'just briefly' ends up in a shared folder or mailbox is a far bigger risk than people intuitively sense.
The government perspective: trust and leading by example
With a commercial company you can, in the worst case, walk away as a customer. With your municipality you cannot. Residents are obliged to hand over their data and have no alternative. That places an extra heavy responsibility on government organisations to handle that data carefully.
A breach in government therefore affects not only the individuals concerned, but trust in the institutions themselves. That trust is hard to build and quick to lose. Awareness in government is thus not only about technology, but about the realisation that you work with data people had no choice but to entrust to you.
At the same time, government is the most attacked sector in Europe. According to the ENISA threat landscape, public administration accounts for a large share of all recorded incidents. Municipalities are attractive targets precisely because they hold so much valuable data in one place.
Reporting culture: the difference between an incident and a disaster
The scale of the Epe breach only became clear over time. That is typical: in an attack you rarely know straight away how deep it goes. Which is exactly why speed of reporting is crucial — the sooner a signal reaches the right people, the faster you can limit the damage.
The biggest enemy of a good response is shame or fear. An employee who clicked a wrong link, sent a file to the wrong address or spotted a suspicious message must be able to report it without any threshold. A blame culture leads to incidents being concealed until it is too late.
For government, with its 72-hour notification duty, a swift internal reporting chain is not a luxury but a legal necessity. The employee who notices something first is your most important sensor.
How to embed this in your awareness programme
Use the Epe case to make the abstract concept of 'personal data' concrete. Let staff name for themselves which data in their work is irreversible — that sticks far better than a list.
Combine that with an unobstructed reporting culture. In government these are the two levers that yield the most.
- Audience + cadence: give teams that work with ID numbers and ID copies (civil affairs, social services, HR) a targeted module on handling irreversible data.
- Make reporting threshold-free and blame-free: one known reporting route, no penalties for honest reporting, visible appreciation for those who report.
- Practise the 72-hour chain: from 'employee notices something' to 'notification to the supervisory authority' — does everyone know their role?
- Measure reporting speed as a KPI, not just click behaviour: how long until a signal reaches the right person?
- Want to go deeper? See how to anchor this through security awareness training.
Related articles
- Recognising and preventing identity theft
- The Odido breach: one phone call, 6 million people
- Employee incident response explained
FAQ
Why is a national ID number more dangerous than, say, an email address?
An email address or password can be changed; your national ID number is fixed for life. Combined with a copy of an identity document, it enables identity fraud: criminals can impersonate the victim to arrange loans, subscriptions or benefits in their name. The damage can echo for years.
What makes government an attractive target?
Municipalities hold citizens' most foundational identity data — ID numbers, addresses, ID copies — often in one place. Residents are obliged to hand it over and cannot 'walk away'. That makes the data extra valuable and the responsibility extra great. Public administration is the most attacked sector in Europe.
Why is reporting culture so decisive in a breach?
The true scale of an attack often only emerges over time, as at Epe. The sooner a signal reaches the right people, the more damage you can limit. A blame culture causes incidents to be concealed; a threshold-free reporting culture turns every employee into an early sensor — and for government, with its 72-hour duty, it is a legal necessity.
What should an employee do who spots a possible breach?
Report immediately via the known internal route, even when in doubt and even if you made the mistake yourself. Speed matters more than certainty: better ten needless reports than one real breach noticed too late. Honest reporting must never lead to penalties.