Dutch Data Protection Authority Hit by Major Security Breach in Embarrassing Oversight
The Hague, Saturday, 7 February 2026.
The Netherlands’ top data privacy watchdog fell victim to hackers who accessed employee information through vulnerable software. Unauthorized parties viewed names, email addresses, and phone numbers of staff at both the Data Protection Authority and Council for the Judiciary. The breach exploited weaknesses in Ivanti mobile device management software used across multiple government agencies, raising concerns about wider exposure across Dutch public institutions.
Timeline of the Security Incident
The breach unfolded over several weeks, beginning with initial vulnerability discovery. On January 29, 2026, the National Cyber Security Centre (NCSC) was notified by software supplier Ivanti about vulnerabilities in their Endpoint Manager Mobile system [1][2]. The situation escalated when the NCSC issued a public warning on February 2, 2026, advising organizations using the software to assume they had been compromised [3]. By February 5, 2026, the Council for the Judiciary reported the breach to the Dutch Data Protection Authority, which subsequently discovered its own systems had been compromised [4]. State secretaries Arno Rutte and Eddie van Marum formally disclosed the incident to parliament on February 6, 2026 [1][5].
Scale and Nature of Data Exposure
The breach exposed work-related personal information of employees at both organizations, though the full scope remains under investigation [1]. Confirmed compromised data includes names, official email addresses, and phone numbers of staff members [1][2]. The Dutch Data Protection Authority employed 320 full-time equivalent positions as of 2024, providing context for the potential scale of exposure at that organization alone [4]. However, ministry spokespersons acknowledged that the exact number of affected employees across both institutions remains unclear and continues to be investigated [1][5]. The incident represents a particularly sensitive breach given that the Data Protection Authority serves as the Netherlands’ primary regulator for personal data protection [GPT].
Technical Details of the Ivanti Vulnerability
The breach exploited a specific vulnerability designated as CVE-2026-1281 in Ivanti Endpoint Manager Mobile software [6]. This system manages and secures mobile devices, applications, and content for enterprise clients across multiple government agencies [1][2]. The vulnerability allowed unauthorized actors to gain access to sensitive systems, with the NCSC noting that attackers potentially removed traces of their activities after exploitation, making comprehensive damage assessment challenging [4]. Multiple government organizations utilize this Ivanti software, raising concerns about broader exposure across Dutch public institutions [1][5]. The NCSC advised all affected organizations to change passwords, renew private keys, and monitor internal network traffic for potential lateral movement by attackers [6][3].
Government Response and Ongoing Investigation
Dutch authorities implemented immediate containment measures upon discovery of the breach. The Data Protection Authority ceased using the compromised Ivanti software and reported the incident to its own data breach reporting point and internal data protection officer [5][6]. The Council for the Judiciary similarly suspended email access on mobile devices while maintaining laptop-based access to continue operations [5]. State secretary spokespersons confirmed that additional government agencies could potentially be affected, with investigations ongoing to determine the full scope of compromise across the public sector [1][5]. The incident prompted a comprehensive review of cybersecurity protocols within Dutch government institutions, highlighting critical vulnerabilities in the digital infrastructure supporting sensitive regulatory and judicial functions [GPT].