Russian Hackers Breach Dutch Prosecution Service, Exposing Sensitive Data
The Hague, Thursday, 24 July 2025.
A three-week cyber attack possibly orchestrated by Russian hackers has compromised the Dutch Public Prosecution Service’s systems, exposing sensitive data and prompting urgent cybersecurity discussions.
Background of the Attack
The Dutch Public Prosecution Service (OM) has been the subject of a cyber attack lasting approximately three weeks, with strong indications pointing towards Russian involvement. The breach is believed to have started in June 2025, following a vulnerability warning about Citrix software used by the OM. The National Cyber Security Center (NCSC) issued an alert, leading to the patching of the software on June 24, 2025. However, by that time, hackers had already accessed the systems, as reported by multiple sources [1][2].
Details of the Breach
The attack compromised sensitive information in the prosecution service’s internal systems, including details of ongoing police investigations, criminal files, and personal data of employees. Authorities disclosed the breach on July 17, 2025, after disconnecting the systems from the internet to prevent further unauthorized access. The breach coincides with historical concerns about Russia’s interest in Dutch legal proceedings, including the MH17 investigation, indicating possible motives for the attack [1][2].
Cybersecurity Response and Concerns
With the systems now offline and the breach exposed, a comprehensive investigation is underway to assess the full extent of the data accessed and the potential implications for national security. This incident underscores the vulnerabilities public institutions face against sophisticated cyber threats and has prompted urgent discussions about strengthening cybersecurity measures. Experts are particularly concerned about the impact of such breaches on public trust and institutional integrity [1][3].
Future Cybersecurity Measures
In response to the increasing cyber threat landscape, the Netherlands plans to implement the EU NIS2 Directive through the Cybersecurity Act, expected to take effect in the second quarter of 2026. This legislation aims to enhance resilience against cyber threats, particularly in critical industries. It will introduce stricter cybersecurity obligations for medium and large enterprises, thus aiming to mitigate such risks effectively in the future [4].