“Who watches the watchmen?” The question, first posed by the Roman poet Juvenal nearly two millennia ago, has found fresh relevance in the hallways of the Dutch government.
The Dutch Data Protection Authority (Autoriteit Persoonsgegevens, or AP)—the very organization responsible for enforcing Europe’s landmark General Data Protection Regulation—has been caught in a painfully ironic twist of fate: a data breach of its own systems has exposed personal information of its employees.
The incident, confirmed by Dutch State Secretaries Arno Rutte and Eddie van Marum in a letter to parliament on February 6, 2026, represents more than just a routine cybersecurity failure. It is a symbolic wound to the credibility of privacy enforcement in Europe, and a stark reminder that no organization—not even those tasked with protecting others—is immune to the relentless tide of cyber threats.
What Happened at the Dutch DPA
The breach stemmed from a vulnerability in Ivanti Endpoint Manager Mobile (EPMM), enterprise software used by numerous Dutch government agencies to manage and secure mobile devices, applications, and corporate data. The flaws—tracked as CVE-2026-1281 and CVE-2026-1340—are critical zero-day vulnerabilities that received the maximum severity rating of 9.8 on the CVSSv3 scale.
According to security researchers at Tenable and Rapid7, both vulnerabilities are code injection flaws that allow unauthenticated remote attackers to execute arbitrary code on vulnerable systems. In plain English: an attacker didn’t need a username or password to break in. They simply needed to find a vulnerable Ivanti server exposed to the internet.
The Dutch DPA was not alone in its misfortune. The Council for the Judiciary (Raad voor de Rechtspraak) was also compromised in the same wave of attacks. State secretaries warned that additional government agencies may have been affected, as the vulnerable software is widely deployed across the Dutch public sector.
“This is under investigation, and we don’t yet know,” a spokesperson for State Secretary Rutte told reporters when asked about the scope of the incident. “Multiple government agencies use the software.”
The Data at Risk
The breach exposed work-related personal data of DPA employees, including:
- Names of staff members- Official email addresses (government email domains)- Phone numbers (work contact details)
While the exposed data may seem relatively mundane compared to breaches involving medical records or financial data, the implications are more nuanced. The DPA’s employees aren’t ordinary civil servants—they are the investigators, lawyers, and technical specialists who pursue enforcement actions against tech giants, data brokers, and organizations accused of privacy violations.
A threat actor with access to this information could potentially:
- Target DPA staff with spear-phishing attacks designed to compromise internal systems or ongoing investigations- Identify and intimidate investigators working on sensitive enforcement cases- Map the organizational structure to understand who handles what types of cases- Impersonate DPA officials in social engineering attacks against regulated organizations
The full extent of the breach remains unclear. As of this writing, Dutch authorities have not confirmed exactly how many employees were affected, whether the breach was limited to directory-level information, or if the attackers gained access to more sensitive systems containing complainant data, investigation files, or draft enforcement decisions.
A Brief History of Ivanti’s Security Struggles
For cybersecurity professionals, the involvement of Ivanti in this breach will come as no surprise. The company’s products—particularly those in the mobile device management and VPN spaces—have become a perennial favorite of sophisticated threat actors.
Ivanti EPMM (formerly known as MobileIron Core) has a troubled security history:
Year CVE Issue
2020 CVE-2020-15505 Remote code execution exploited by APT actors
2023 CVE-2023-35078 Authentication bypass (zero-day)
2023 CVE-2023-35081 Remote file write vulnerability
2025 CVE-2025-4427/4428 Another RCE chain exploited in the wild
2026 CVE-2026-1281/1340 Current critical zero-days
In the present case, Ivanti acknowledged that both CVE-2026-1281 and CVE-2026-1340 were exploited as zero-days—meaning attackers were using them before patches were available. The company’s security advisory noted that exploitation affected “a very limited number of customers,” though the inclusion of a national privacy regulator on that list suggests the attackers were not randomly scanning the internet.
Public proof-of-concept exploit code was available within days of the vulnerability disclosure, dramatically increasing the risk of widespread exploitation. Security researchers at watchTowr Labs published a detailed technical analysis, with one blog post cheekily titled: “Someone Knows Bash Far Too Well, And We Love It.”
Ivanti has released temporary RPM patches for affected versions, with a permanent fix expected in version 12.8.0.0 later in Q1 2026.
Who Regulates the Regulators?
The most uncomfortable question raised by this breach is procedural: when the data protection authority suffers a data breach, who do they report it to?
Under GDPR Article 33, organizations must notify the relevant supervisory authority of a personal data breach within 72 hours of becoming aware of it. But the Dutch DPA is the supervisory authority. The result is a bureaucratic paradox that would make Kafka smile.
According to reports, the DPA handled this by:
- Having the Council for the Judiciary inform the DPA about the breach (external notification)2. The DPA then reported its own breach to its internal Data Protection Officer (DPO)3. The breach was also logged through the DPA’s own breach notification portal
It’s the regulatory equivalent of writing yourself a parking ticket. And while the technical compliance with GDPR may be satisfied, the optics are decidedly unfavorable.
This is not the first time a European data protection authority has faced such an awkward situation. The UK’s Information Commissioner’s Office (ICO) has previously addressed the hypothetical scenario in guidance documents, acknowledging that if the ICO itself were to suffer a breach, it would follow its own processes while also involving the National Cyber Security Centre and potentially briefing the Secretary of State.
The Dutch incident suggests that while regulators have procedures on paper, the real-world experience is still evolving.
Implications for EU Privacy Enforcement
The timing of this breach is particularly sensitive. The Dutch DPA has been among the most aggressive enforcers in Europe, regularly pursuing high-profile cases against major technology companies and issuing substantial fines.
Recent enforcement actions by the AP have included:
- Major fines against international technology platforms for GDPR violations- Investigations into algorithmic decision-making and AI systems- Scrutiny of data brokers and adtech companies- Consumer complaint cases involving big tech
A breach of the regulator’s own systems inevitably raises questions about credibility. How can an authority effectively enforce data protection standards it has demonstrably failed to meet itself?
Privacy advocates have been measured in their responses, recognizing that zero-day vulnerabilities represent an asymmetric threat that even well-resourced organizations struggle to defend against. The exploits used against the DPA were unknown to the vendor and had no available patches at the time of attack.
“No organization is immune to zero-day attacks,” noted one security researcher. “The real question is how they respond—whether they’re transparent, whether they take appropriate remedial action, and whether they learn from the experience.”
By that measure, the Dutch DPA’s response has been relatively commendable. State secretaries proactively informed parliament. Affected staff were notified. The National Cyber Security Centre (NCSC) was engaged to coordinate the government-wide response. And the DPA has been cooperative with press inquiries.
Still, the incident provides ammunition for organizations that have been on the receiving end of DPA enforcement actions. Arguments along the lines of “they can’t even protect their own data” may feature in future legal proceedings, even if such arguments are technically irrelevant to the merits of individual cases.
Lessons for All Organizations
The Dutch DPA breach offers several sobering lessons that apply well beyond the corridors of government:
1. Zero-Days Spare No One
Zero-day vulnerabilities are the great equalizer in cybersecurity. No amount of compliance documentation, staff training, or security policies can protect against attacks that exploit unknown flaws. The DPA, despite presumably having strong security awareness and dedicated IT resources, fell victim to an attack that even sophisticated enterprises struggle to prevent.
Takeaway: Defense in depth, network segmentation, and assume-breach mentalities are essential. Prepare for the inevitability of compromise, not just prevention.
2. Vendor Risk is Your Risk
The DPA didn’t write the vulnerable code—Ivanti did. But the DPA bore the consequences. This is a pattern we see repeatedly: third-party software becomes the attack vector, but the customer suffers the breach.
Takeaway: Rigorous vendor security assessments, timely patch application, and monitoring of security advisories for critical software are non-negotiable.
3. Transparency Matters
The Dutch government’s relatively swift disclosure—through a letter to parliament within days of confirming the breach—sets a reasonable example. While the investigation is ongoing and details remain incomplete, the acknowledgment of the incident and commitment to inform affected parties reflects the transparency that regulators expect from the organizations they oversee.
Takeaway: Practice what you preach. If you’re a regulator or an organization that demands transparency from others, you must model that behavior yourself.
4. Mobile Device Management is a High-Value Target
EPMM/MobileIron systems manage device policies, application distribution, and often serve as gateways to corporate resources. Compromising such a system gives attackers a foothold into the broader enterprise. It’s no coincidence that APT groups have repeatedly targeted MDM solutions.
Takeaway: MDM infrastructure should be treated as critical and segmented from other systems. Consider the blast radius if these systems are compromised.
The Trust Deficit This Creates
Data protection authorities exist because of a fundamental asymmetry: individuals lack the power to hold large organizations accountable for how their personal data is used. Regulators are supposed to be the trusted intermediaries who wield that power on behalf of citizens.
When regulators themselves suffer breaches, it chips away at that trust—even when, as in this case, the breach appears to have been limited in scope and the response has been appropriate.
The European Data Protection Board (EDPB), which coordinates among national supervisory authorities, has not yet issued a formal statement on the Dutch incident. Given the potential for similar vulnerabilities to affect other government agencies across Europe using the same software, a broader coordinated response may be warranted.
For now, the Dutch DPA continues its work—investigating others while presumably investigating itself, enforcing GDPR while learning its own GDPR lessons. The watchmen are watching themselves, and the irony is lost on no one.
What Happens Next
Several threads remain to be resolved:
- Scope determination: Exactly how many employees were affected, and was any data beyond contact information accessed?- Threat actor attribution: Who exploited the Ivanti vulnerabilities against Dutch government systems? Was this opportunistic or targeted?- Broader government impact: Which other Dutch agencies were compromised in the same campaign?- Enforcement implications: Will ongoing DPA investigations be affected by potential compromise of investigation files or communications?
For organizations subject to Dutch DPA oversight, the incident offers a moment of uncomfortable empathy. Even the enforcers aren’t safe. And in a world of persistent threats and zero-day vulnerabilities, that may be the most honest lesson of all.
The Dutch Data Protection Authority has established a dedicated hotline for data breach inquiries at 088-1805 255. The National Cyber Security Centre continues to monitor the situation and has issued guidance for affected organizations.
Have information about this breach or related Ivanti exploitation? Contact our research team securely.