What Happened
In February 2026, the European Commission disclosed that staff data was exposed through an exploited vulnerability in Ivanti Endpoint Manager Mobile.
The compromised data includes names and mobile numbers of EC staff. The same Ivanti vulnerability also affected the Dutch Data Protection Authority.
Timeline
- February 2026 — European Commission discloses staff data exposure via Ivanti Endpoint Manager Mobile vulnerability
- February 2026 — Dutch Data Protection Authority also confirmed affected by the same vulnerability
Impact and Risk Assessment
For Individuals
European Commission staff had their names and mobile phone numbers exposed, potentially enabling targeted phishing and social engineering of EU officials.
For Organisations
The exposure of EU official contact details has implications for EU institutional security and diplomatic communications.
Multiple organisations were affected by the same Ivanti vulnerability, demonstrating systemic risk from unpatched endpoint management platforms.
Regulatory Context
EU institutions are subject to Regulation (EU) 2018/1725 on data protection. CERT-EU coordinates cybersecurity incident response for EU institutions.
What Should You Do?
For Individuals
- EU institutional staff should be particularly vigilant about phishing attempts via their mobile devices following this exposure.
For Security Professionals
- Prioritise patching of endpoint management platforms, which have broad access across device fleets and represent high-value targets.
- The same vulnerability affecting multiple government organisations demonstrates the need for coordinated vulnerability management across institutions.
Learnings and Recommendations
The exploitation of the same Ivanti vulnerability across multiple high-profile government organisations demonstrates how unpatched software vulnerabilities can create systemic risk.
Endpoint management platforms are particularly attractive targets because they often have broad access across an organisation's device fleet.