Dutch Authorities 2026 Ivanti Zero-Day Data Exposure

High

Last updated 1 week ago

Summary

The Dutch Data Protection Authority (AP) and the Council for the Judiciary (Rvdr) confirmed their systems were compromised through exploitation of zero-day vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM). The breach was discovered on January 29, 2026, and disclosed to the Dutch parliament on February 15, 2026. The attack exposed employee contact information, though the exact number of affected records was not specified. The incident highlights the risks associated with third-party software vulnerabilities affecting government agencies.

Attack Method

Exploitation of recently disclosed security flaws in Ivanti Endpoint Manager Mobile (EPMM)

Data Compromised

employee contact data

Lessons Learned

Failure in timely patch management and third-party risk assessment for critical software components. Recommendations include implementing more rigorous supply chain security controls, establishing faster vulnerability response procedures for critical infrastructure, and enhancing monitoring for exploitation of known vulnerabilities in third-party products.

Sources

Dutch Authorities Confirm Ivanti Zero-Day Exploit Exposed Employee Contact Data
Feb 2026

Key Facts

Company

Dutch Data Protection Authority (AP) and Council for the Judiciary (Rvdr)

Industry

Government

Location

Netherlands, Europe

Discovered

Jan 2026