Hacking Government / Regulatory · Netherlands · February 2026

Dutch Data Protection Authority (Autoriteit Persoonsgegevens)

Analysis of the Dutch Data Protection Authority breach via Ivanti vulnerability - the data privacy regulator itself compromised.

Records Affected

Unknown

Attack Type

Hacking

Location

Netherlands

Data types exposed

Names email addresses phone numbers of staff

What Happened

In February 2026, the Dutch Data Protection Authority and the Council for the Judiciary were affected by the same Ivanti Endpoint Manager Mobile vulnerability that hit the European Commission.
The compromised data includes names, emails, and phone numbers. The fact that a data protection regulator was itself breached raises questions about government security practices.

Timeline

  • February 2026 — Dutch Data Protection Authority confirms staff data exposure via Ivanti vulnerability
  • February 2026 — Council for the Judiciary also confirmed affected

Impact and Risk Assessment

For Individuals

Staff of the Dutch Data Protection Authority had their contact information exposed, potentially enabling targeted phishing of data protection enforcement officials.

For Organisations

The credibility of the Dutch Data Protection Authority as a GDPR enforcement body is affected by its own vulnerability to an unpatched security flaw.
The Council for the Judiciary was also affected, broadening the institutional impact.

Regulatory Context

The Dutch DPA is subject to Regulation (EU) 2018/1725 and Dutch national data protection law. As the enforcer of GDPR in the Netherlands, this breach creates an unusual regulatory situation.

What Should You Do?

For Individuals

  • Staff of the Dutch DPA and Council for the Judiciary should be vigilant about phishing attempts targeting their professional contacts.

For Security Professionals

  • No organisation is immune to cyber attacks, including regulators. Vulnerability management and patching must be prioritised universally.
  • Endpoint management platforms represent high-value targets. Implement defence-in-depth measures that do not rely solely on any single product.

Learnings and Recommendations

When the organisation responsible for enforcing data protection rules is itself breached through an unpatched vulnerability, it underscores how universal the challenge of vulnerability management truly is.
No organisation is immune to cyber attacks. Even regulators must invest in their own security posture alongside their enforcement activities.
This advisory summarises a publicly reported cybersecurity incident for educational purposes. Information is sourced from publicly available reports and may include claims that are unverified or disputed. Inclusion does not imply fault or negligence by the affected organisation.
Back to all advisories