Eindhoven officials expose resident data on public AI websites

Officials at the municipality of Eindhoven uploaded personal data of residents and employees to public AI websites, including ChatGPT, city authorities confirmed. The data breach, reported to the Dutch Data Protection Authority on October 23, 2025, involved sensitive files from departments handling care and support for residents.

The city conducted a 30-day sample from September 23 to October 23 and found multiple types of personal data, including Jeugdwet documents, internal reports, and CVs.

The full scope of the breach is unknown because uploaded data is stored temporarily for only 30 days. As a result, the municipality cannot notify all individuals whose information may have been exposed.

“We know that many files were involved, but the precise extent of the uploaded data cannot be determined,” the Eindhoven municipal council wrote in a letter to the city council. “This is because these data are temporarily, only stored for 30 days.”

The breach primarily affects vulnerable residents, though the city said the risk to individuals is limited compared with stolen data. “Individual data uploaded into an AI tool cannot easily be extracted and misused by third parties,” the council said. Officials acknowledged the risk cannot be fully ruled out, as advanced reconstruction techniques are possible.

After discovering the breach, the municipality blocked staff access to public AI websites. Employees are now restricted to using an internal AI tool within a secure municipal environment. Eindhoven also requested OpenAI delete any files uploaded from the city and intensified monitoring of external data traffic.

The city hired legal advisory firm Hooghiemstra & Partners to investigate the nature, scope, and impact of the breach. “We are shocked that sensitive personal data were sent to AI websites. This is very unfortunate for residents and employees, and we regret not knowing exactly what data were involved. We are taking all measures to prevent this in the future,” the municipal council said.

Eindhoven has been under intensified supervision by the Dutch Data Protection Authority since March 2023 after previous delays in reporting breaches and retaining personal data too long. Since then, the municipality has implemented privacy and security improvements and internal awareness campaigns, including an AI conduct code established on November 18, 2025.