Dutch Data Protection Authority (Autoriteit Persoonsgegevens)
Analysis of the Dutch Data Protection Authority breach via Ivanti vulnerability - the data privacy regulator itself compromised.
Published by the Scrutex.ai Research Team | February 2026
Disclaimer
This advisory is provided for informational and educational purposes only by the Scrutex research team. It is based entirely on publicly available reporting from the sources cited below. Where details are unconfirmed or disputed by the affected organisation, this is noted explicitly. Scrutex does not independently verify internal claims made by affected organisations or threat actors. This advisory should not be interpreted as a confirmed statement of fact regarding any organisation's security posture. Organisations concerned about their own exposure should conduct independent assessments and seek professional legal advice.
At a Glance
Organisation
Dutch Data Protection Authority (Autoriteit Persoonsgegevens)
Independent authority in the Netherlands responsible for enforcing data protection law including GDPR, supervising the processing of personal data by organisations.
Sector
Government / Regulatory
Region
Netherlands
Date of Incident
Prior to February 2026 (exploitation of Ivanti vulnerability)
Date Disclosed
February 2026
Estimated Impact
Unknown
Data Types Exposed
Names, email addresses, phone numbers of staff
Attack Type
Hacking
Attack Vector
Exploitation of vulnerability in Ivanti Endpoint Manager Mobile (same as European Commission incident)
Current Status
Vulnerability patched. Investigation ongoing. The Council for the Judiciary was also affected.
Severity Assessment
High due to irony and institutional impact. The organisation responsible for enforcing data protection in the Netherlands was itself breached through an unpatched vulnerability, underscoring the universal nature of the cyber threat.
What Happened
In February 2026, the Dutch Data Protection Authority and the Council for the Judiciary were affected by the same Ivanti Endpoint Manager Mobile vulnerability that hit the European Commission.
The compromised data includes names, emails, and phone numbers. The fact that a data protection regulator was itself breached raises questions about government security practices.
Timeline
February 2026
Dutch Data Protection Authority confirms staff data exposure via Ivanti vulnerability
February 2026
Council for the Judiciary also confirmed affected
Impact and Risk Assessment
For Affected Individuals
Staff of the Dutch Data Protection Authority had their contact information exposed, potentially enabling targeted phishing of data protection enforcement officials.
For Organisations
The credibility of the Dutch Data Protection Authority as a GDPR enforcement body is affected by its own vulnerability to an unpatched security flaw.
The Council for the Judiciary was also affected, broadening the institutional impact.
Regulatory Context
The Dutch DPA is subject to Regulation (EU) 2018/1725 and Dutch national data protection law. As the enforcer of GDPR in the Netherlands, this breach creates an unusual regulatory situation.
What Should You Do?
If You Are a Potentially Affected Individual
Staff of the Dutch DPA and Council for the Judiciary should be vigilant about phishing attempts targeting their professional contacts.
If You Are a Security or Risk Professional
No organisation is immune to cyber attacks, including regulators. Vulnerability management and patching must be prioritised universally.
Endpoint management platforms represent high-value targets. Implement defence-in-depth measures that do not rely solely on any single product.
Learnings and Recommendations
When the organisation responsible for enforcing data protection rules is itself breached through an unpatched vulnerability, it underscores how universal the challenge of vulnerability management truly is.
No organisation is immune to cyber attacks. Even regulators must invest in their own security posture alongside their enforcement activities.
Sources
This advisory is provided for informational purposes by the Scrutex.ai research team. It is based on publicly available reporting from the sources cited above. Where details are unconfirmed or disputed, we have noted this accordingly. Scrutex.ai does not independently verify internal claims made by affected organisations. Organisations concerned about their own exposure are encouraged to conduct their own assessments and seek professional advice where needed.
Stay ahead of the next breach
Scrutex monitors dark web sources, breach databases, and threat actor activity continuously, detecting exposure that affects your organisation before it becomes a headline.