Cyber Incident Victim: Dutch Data Protection Authority
Date:
Feb 2026
Location:
Netherlands
Summary
The Dutch Data Protection Authority was compromised through a critical zero‑day vulnerability in Ivanti Endpoint Manager Mobile, resulting in unauthorized access to work‑related data such as names, email addresses and phone numbers. The same flaw was exploited in intrusions affecting the European Commission and the Judicial Council, with the Commission reporting that its breach was contained within nine hours.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 0 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In February 2026, the European Commission, the Dutch Data Protection Authority, and the Judicial Council confirmed they had been hacked. The breach was carried out by exploiting critical zero‑day vulnerabilities in Ivanti Endpoint Manager Mobile. The attackers gained access to work‑related data belonging to the Dutch Data Protection Authority. Specifically, names, email addresses, and phone numbers were accessed during the incident. The same vulnerability also affected the European Commission and the Judicial Council, though the Dutch authority’s data exposure was explicitly noted.
The European Commission stated that it contained its breach within nine hours of detection. No comparable containment timeline was provided for the Dutch Data Protection Authority or the Judicial Council in the source material. The incident was disclosed publicly through a joint confirmation by the three organizations. No information about the identity of the attackers, any ransom demand, or further misuse of the stolen data was included in the available reports. Consequently, the public record of the Dutch Data Protection Authority breach remains limited to the confirmed exploitation of the Ivanti zero‑day and the access to names, email addresses, and phone numbers.