Recent disclosures from the Netherlands’ Dutch Data Protection Authority (AP) and the Council for the Judiciary (Rvdr) highlight a significant cybersecurity incident. Both entities confirmed their systems were compromised due to vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM). A notice sent to the Dutch parliament on Friday elaborated on the situation, emphasizing the breach of employee contact data.
Details of the Cybersecurity Breach
On January 29, 2026, Ivanti notified the National Cyber Security Center (NCSC) about security flaws in its EPMM product. This software plays a crucial role in managing mobile devices and ensuring their security. Unauthorized access to work-related information, including names, business email addresses, and phone numbers of AP employees, has been confirmed.
The European Commission has similarly reported a potential breach, stating that traces of a cyber attack were identified within its central mobile device management infrastructure. Despite the rapid containment of the incident within nine hours, the European Commission remains vigilant, assuring that none of its mobile devices were compromised.
Wider Implications Across Europe
Alongside the Dutch and EU incidents, Finland’s Valtori, the state information and communications technology provider, disclosed a breach affecting up to 50,000 government employees. This attack exploited a zero-day vulnerability within their mobile device management service, further illustrating the widespread impact of the Ivanti flaws.
Valtori’s investigation revealed that vulnerabilities, specifically CVE-2026-1281 and CVE-2026-1340, were used to execute unauthorized remote code execution. Despite the immediate application of patches provided by Ivanti, the breach still resulted in exposure of sensitive work-related data.
Response and Future Measures
The affected agencies have undertaken measures to secure their systems and prevent future attacks. The European Commission stressed its commitment to the security and resilience of its internal systems. Both the Dutch authorities and Valtori are conducting thorough investigations to mitigate the impact and prevent recurrence.
It has become evident that the management system failed to permanently erase deleted data, merely marking it as removed. This oversight has potentially compromised device and user data across multiple organizations. The situation underscores the critical need for robust data management policies and proactive security measures to safeguard sensitive information.
As investigations continue, the emphasis remains on enhancing cybersecurity frameworks and ensuring that vulnerabilities like these are swiftly addressed to protect organizational data from unauthorized access.
