Article Details

Dutch data watchdog snitches on itself after getting caught in Ivanti zero-day attacks. Staff data belonging to the regulator and judiciary's governing body accessed. The Dutch Data Protection Authority (AP) says it was one of the many organizations popped when attackers raced to exploit recent Ivanti vulnerabilities as zero-days. Justice secretary Arno Rutte and secretary for kingdom relations Eddie van Marum co-authored a letter to the Dutch parliament, confirming that an attack involving January's Ivanti Endpoint Manager Mobile (EPMM) bugs led to a data breach. The attack took place on January 29, the letter confirmed, and affected employees of both the AP and the Council for the Judiciary (RVDR). Attackers may have accessed personal data including names, business email addresses, and phone numbers. The senior ministers did not comment on the scale of the breach in terms of specific numbers, but said all of the affected individuals have been informed directly. And to whom does a country's data protection authority report itself in such cases? The answer is its data protection officer, in this instance, while the AP's usual staff are looking into the breach at RVDR, which reported itself to the authority as normal. While those investigations remain ongoing, the country's cybersecurity agency (NCSC-NL) is keeping tabs on the Ivanti EPMM vulnerabilities (CVE-2026-1281 and CVE-2026-1340) and working with partners to understand additional threats the vulnerabilities present.  The Dutch office of the CIO (CIO Rijk) is also examining whether there is a broader risk to the central government, the letter stated. The US Cybersecurity and Infrastructure Security Agency (CISA) confirmed CVE-2026-1281 (9.8) was exploited in the wild by adding it to the Known Exploited Vulnerability (KEV) list shortly after initial disclosure. Ivanti's security advisory at the time stated: "We are aware of a very limited number of customers whose solution has been exploited at the time of disclosure." However, warnings from outside sources suggested the attacks could be more frequent than the vendor's "very limited" phrasing would suggest. In its own warning about the Ivanti bugs, the UK's National Health Service (NHS) highlighted that EPMM devices are exposed to the web by design, making them ripe targets for attackers. It said: "Edge devices like EPMM are internet-facing by design and are highly attractive targets to attackers, and there are an increasing number of edge device vulnerabilities disclosed each year that are rapidly exploited by attackers.  "The NHS England National CSOC assesses it is highly likely vulnerabilities discovered in edge devices will continue to be exploited as zero-day vulnerabilities, or shortly after vendor disclosure." Benjamin Harris, CEO at watchTowr, also said around the time of the bugs' disclosure that EPMM devices are often used by high-value organizations, according to intel gleaned from the company's own customer base. "While patches are available from Ivanti, applying patches will not be enough. Threat actors have been exploiting these vulnerabilities as zero-days, and organizations that are, as of disclosure, exposing vulnerable instances to the internet must consider them compromised, tear down infrastructure, and instigate incident response processes."