Reach security professionals who buy.

850K+ monthly readers 72% have budget authority
Advertise on Breached.Company →

Executive Summary

In what might be the most ironic cybersecurity incident of 2026, the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, or AP)—the very agency tasked with enforcing privacy laws and investigating data breaches—became a breach victim itself in February 2026.

Personal data of AP employees, along with staff from the Council for Justice (Raad voor de Rechtspraak, or RVDR), was accessed by unauthorized parties through vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM), specifically CVE-2026-1281 and CVE-2026-1340. These zero-day vulnerabilities, exploited by sophisticated threat actors, allowed attackers to gain unauthorized access to systems containing sensitive employee information.

The incident raises profound questions about organizational security, regulatory expectations, and the challenges of securing complex technology supply chains—even for organizations whose entire mission revolves around data protection.

The Breach: What Happened

Timeline of Events

Early February 2026: Ivanti disclosed two critical zero-day vulnerabilities in its Endpoint Manager Mobile (EPMM) platform:

  • CVE-2026-1281: Authentication bypass vulnerability
  • CVE-2026-1340: Remote code execution vulnerability

These vulnerabilities were being actively exploited in the wild by sophisticated threat actors, likely state-sponsored groups, before patches were available.

February 7, 2026: The Dutch Data Protection Authority and the Council for Justice publicly disclosed that their systems had been compromised through these Ivanti vulnerabilities. Unauthorized parties accessed personal data of employees at both organizations.

February 9, 2026: The Register reported additional details, confirming that the Dutch cybersecurity agency (NCSC-NL) was monitoring the situation and working to understand the full scope of the threat these vulnerabilities presented to Dutch government agencies.

What Was Compromised

The breach exposed personal data of employees at two critical Dutch government entities:

Dutch Data Protection Authority (AP):

  • Employee names and contact information
  • Work-related email addresses
  • Internal organizational data
  • Potentially sensitive case information (under investigation)

Council for Justice (RVDR):

  • Similar employee personal information
  • Justice system personnel data
  • Internal communications

The exact scope of accessed data remains under investigation, but the Dutch AP confirmed that personal data of staff members was definitely accessed by unauthorized parties.

The Vulnerability: Ivanti EPMM Zero-Days

Ivanti Endpoint Manager Mobile (EPMM), formerly known as MobileIron, is widely used by enterprises and government agencies to manage and secure mobile devices. The platform has been a frequent target for sophisticated threat actors due to its privileged position in enterprise networks.

CVE-2026-1281: Authentication Bypass

  • Severity: Critical
  • Impact: Allows unauthenticated attackers to bypass authentication mechanisms
  • Exploitation: Active in-the-wild exploitation before patch availability

CVE-2026-1340: Remote Code Execution

  • Severity: Critical
  • Impact: Enables attackers to execute arbitrary code on vulnerable systems
  • Exploitation: Chained with CVE-2026-1281 for full system compromise

When chained together, these vulnerabilities provided attackers with:

  1. Initial access without requiring credentials
  2. Code execution with elevated privileges
  3. Persistent presence within the compromised environment
  4. Data access to sensitive organizational information

The Ivanti Problem: A Pattern of Exploitation

This isn’t Ivanti’s first rodeo with critical vulnerabilities and widespread exploitation. The company’s products have been targeted repeatedly by sophisticated threat actors, creating significant risk for organizations that rely on them.

Recent Ivanti Security Incidents

2024: Multiple Zero-Day Campaigns Throughout 2024, Chinese APT groups exploited multiple zero-day vulnerabilities in Ivanti Connect Secure VPN appliances, compromising organizations worldwide. The attacks were so widespread that CISA issued emergency directives requiring federal agencies to disconnect Ivanti devices.

2025: Continued Exploitation Additional vulnerabilities in Ivanti products continued to be discovered and exploited, with several requiring emergency patching and, in some cases, complete device replacement.

2026: The Dutch Government Compromise The CVE-2026-1281 and CVE-2026-1340 vulnerabilities represent the latest in a troubling pattern. Government agencies in the Netherlands, known for robust cybersecurity practices, were compromised before patches could be deployed.

Why Ivanti Products Are Attractive Targets

Several factors make Ivanti’s products particularly attractive to sophisticated threat actors:

1. Network Position: Ivanti’s products typically sit at critical network boundaries or have privileged access to enterprise resources:

  • VPN appliances provide direct access to internal networks
  • Mobile device management platforms have access to sensitive employee data
  • Endpoint management tools have system-level privileges

2. Enterprise and Government Adoption: Ivanti products are widely deployed in high-value target environments:

  • Government agencies at all levels
  • Large enterprises with sensitive data
  • Critical infrastructure organizations
  • Healthcare and financial institutions

3. Single Point of Compromise: Successfully exploiting an Ivanti device can provide:

  • Access to multiple internal systems
  • Credential harvesting opportunities
  • Lateral movement capabilities
  • Long-term persistence mechanisms

4. Complex Patching Requirements: Ivanti appliances can be challenging to patch:

  • Appliances may require significant downtime
  • Patching may impact business-critical functions
  • Some vulnerabilities require complete device replacement
  • Emergency patches may introduce stability issues

The Irony: When the Privacy Police Get Breached

The compromise of the Dutch Data Protection Authority carries profound irony that hasn’t been lost on the cybersecurity community.

The AP’s Mission and Authority

The Autoriteit Persoonsgegevens is one of Europe’s most active and aggressive privacy regulators:

Enforcement Authority:

  • Investigates data breaches and privacy violations
  • Issues significant fines for GDPR non-compliance
  • Sets standards for data protection practices
  • Educates organizations about privacy requirements

Recent Enforcement Actions:

  • October 2025: Fined Experian €2.7 million for GDPR violations related to unauthorized data collection
  • Ongoing: Multiple investigations into big tech companies for privacy violations
  • Strategic Priorities: The AP’s 2026-2028 plan focuses on Algorithms & AI, Big Tech, Freedom & Security, Data Trade, and Digital Government

GDPR Requirements: Under GDPR, organizations must:

  • Report data breaches to the AP within 72 hours
  • Implement appropriate technical and organizational measures
  • Conduct data protection impact assessments
  • Maintain security commensurate with risk

Reporting to Yourself: The Meta-Breach

Here’s where the situation becomes particularly complex: When the privacy regulator gets breached, who investigates?

The AP’s Response: According to The Register, the AP’s Data Protection Officer (DPO) is handling the breach investigation—a somewhat unusual situation where the organization investigates itself. Meanwhile, the AP’s regular staff are investigating the breach at the Council for Justice (RVDR), which reported its breach to the authority as required by law.

This creates an interesting dynamic:

  • The AP must comply with its own breach notification requirements
  • The AP’s DPO investigates the AP’s own breach
  • The AP simultaneously investigates the RVDR breach
  • The AP must demonstrate compliance with standards it enforces on others

NCSC-NL Involvement: The Dutch National Cyber Security Centre (NCSC-NL) is actively monitoring the situation and working with partners to understand the full scope of the Ivanti vulnerabilities’ impact on Dutch government agencies.

Lessons Learned: Nobody Is Immune

While there’s certainly irony in the situation, the breach of the Dutch AP provides valuable lessons for all organizations—regardless of their mission or security sophistication.

Lesson 1: Zero-Days Don’t Discriminate

The Reality: No organization, regardless of security maturity, can completely defend against zero-day vulnerabilities being actively exploited by sophisticated threat actors.

The Dutch government is known for strong cybersecurity practices:

  • Robust national cybersecurity strategy
  • Well-resourced security agencies
  • Mandatory security standards for government entities
  • Active threat intelligence sharing

Despite these advantages, they still fell victim to Ivanti zero-days. This highlights an uncomfortable truth: When sophisticated adversaries exploit zero-day vulnerabilities before patches are available, even well-defended organizations can be compromised.

What This Means:

  • Assume breach mentality must guide security architecture
  • Detection and response capabilities are as critical as prevention
  • Supply chain security extends to third-party software vendors
  • Rapid incident response can limit breach impact

Lesson 2: Third-Party Risk Is Everyone’s Risk

The Challenge: The Dutch AP didn’t develop the vulnerable software—they relied on Ivanti as a trusted vendor. Yet the consequences of Ivanti’s security failures became the AP’s problem.

This is the fundamental challenge of modern technology supply chains:

  • Organizations depend on dozens or hundreds of third-party software vendors
  • Each vendor represents a potential attack vector
  • Vendor security failures create organizational risk
  • Organizations have limited visibility into vendor security practices

Vendor Risk Management Reality: Traditional vendor risk management approaches often fall short:

  • Security questionnaires are point-in-time assessments that don’t reflect ongoing security posture
  • Compliance certifications (ISO 27001, SOC 2) don’t prevent zero-day exploits
  • Contractual security requirements can’t eliminate vulnerabilities
  • Even thorough vetting can’t predict future security incidents

What Organizations Need:

  • Continuous vendor monitoring: Track security incidents and vulnerabilities in vendor products
  • Rapid patch deployment processes: Ability to quickly deploy emergency patches when released
  • Vendor communication channels: Direct lines to vendors for security incidents
  • Alternative vendors: Backup options when primary vendors experience security issues
  • Isolation and segmentation: Architecture that limits vendor compromise impact

Lesson 3: Security Is About Resilience, Not Perfection

The AP’s Response: While we can note the irony of the privacy regulator getting breached, we should also recognize that the AP appears to have responded appropriately:

Rapid Detection: The breach was identified relatively quickly
Public Disclosure: The AP disclosed the breach publicly and transparently
Regulatory Compliance: The AP followed GDPR breach notification requirements
Investigation: Proper investigation procedures were initiated
Coordination: Working with NCSC-NL and other agencies

This demonstrates an important principle: Security success isn’t measured by whether you get breached—it’s measured by how quickly you detect, respond, and recover.

Indicators of Security Maturity:

  • Time to detection (TTD)
  • Time to containment (TTC)
  • Time to recovery (TTR)
  • Transparency in disclosure
  • Effectiveness of remediation
  • Lessons learned and improvements implemented

Lesson 4: Regulatory Expectations Must Be Realistic

The Uncomfortable Question: If the privacy regulator itself can be compromised through vendor zero-days, what does that mean for the organizations they regulate?

GDPR’s “Appropriate Measures” Standard: GDPR requires organizations to implement “appropriate technical and organizational measures” to ensure security appropriate to the risk. But what’s “appropriate” when even privacy regulators can be breached?

Regulatory Reasonableness: This incident should inform regulatory expectations:

  • Perfection is impossible: No security control can prevent all breaches
  • Zero-days are unforeseeable: Organizations can’t patch vulnerabilities that aren’t disclosed
  • Response matters more than prevention: Quick detection and response should factor into compliance assessments
  • Supply chain dependencies: Regulatory frameworks must account for third-party risks

What Regulators Should Consider:

  • Were reasonable security controls in place before the breach?
  • Did the organization respond appropriately when the breach occurred?
  • Were industry best practices followed for patch management and vendor risk?
  • Did the organization learn from the incident and implement improvements?

Technical Analysis: The Ivanti EPMM Vulnerabilities

CVE-2026-1281: Authentication Bypass

Vulnerability Details: The authentication bypass vulnerability allowed attackers to circumvent authentication mechanisms in Ivanti EPMM without providing valid credentials.

Attack Chain:

  1. Attacker identifies internet-facing Ivanti EPMM instance
  2. Crafts specially formatted request that bypasses authentication
  3. Gains unauthorized administrative access to the platform
  4. Can now access all data managed by EPMM, including device information and corporate data

Impact:

  • Complete bypass of authentication controls
  • Administrative access without credentials
  • Access to managed mobile devices
  • Potential for further network compromise

CVE-2026-1340: Remote Code Execution

Vulnerability Details: A remote code execution vulnerability that, when chained with the authentication bypass, allowed attackers to execute arbitrary code on the Ivanti EPMM server.

Attack Chain:

  1. Leverage CVE-2026-1281 to gain initial access
  2. Exploit CVE-2026-1340 to execute code
  3. Deploy backdoors and persistence mechanisms
  4. Exfiltrate data and potentially move laterally

Impact:

  • Full system compromise
  • Ability to deploy malware and backdoors
  • Data exfiltration capabilities
  • Potential lateral movement to connected systems

Exploitation in the Wild

According to security researchers and NCSC-NL:

  • Active exploitation before patches were available (zero-day status)
  • Sophisticated threat actors likely state-sponsored groups
  • Targeted campaigns against high-value organizations
  • Rapid exploitation once vulnerability information became public

Response and Remediation

Ivanti’s Response

Patch Release: Ivanti released emergency patches for CVE-2026-1281 and CVE-2026-1340, though the timing relative to active exploitation created a window of opportunity for attackers.

Guidance:

  • Recommended immediate patching for all EPMM instances
  • Provided indicators of compromise (IOCs) for affected organizations
  • Published security advisories with technical details

Historical Pattern: This incident continues Ivanti’s troubling pattern of critical vulnerabilities requiring emergency response from customers.

Dutch Government Response

NCSC-NL Actions:

  • Monitoring the vulnerabilities and their exploitation
  • Coordinating with affected government agencies
  • Sharing threat intelligence with partners
  • Assessing broader impact on Dutch government infrastructure

AP Response:

  • Initiated internal investigation via Data Protection Officer
  • Disclosed breach publicly within regulatory timeframes
  • Coordinated with NCSC-NL and other agencies
  • Implementing remediation measures

Recommendations for Organizations

Immediate Actions

1. Ivanti EPMM Assessment: If you use Ivanti EPMM (or any Ivanti products):

  • ✅ Verify patches for CVE-2026-1281 and CVE-2026-1340 are applied
  • ✅ Review logs for indicators of compromise
  • ✅ Conduct forensic analysis if suspicious activity is detected
  • ✅ Consider isolating Ivanti devices until fully patched and verified clean

2. Vendor Risk Review:

  • Inventory all third-party software in your environment
  • Identify vendors with history of security incidents
  • Assess criticality and replaceability of vendor products
  • Develop contingency plans for vendor security failures

3. Detection Capabilities:

  • Ensure logging is enabled for all critical systems
  • Implement anomaly detection for privileged systems
  • Deploy network monitoring for unusual outbound connections
  • Establish baseline behavior for critical appliances

Strategic Improvements

1. Supply Chain Security Program:

Vendor Assessment Framework:

  • Security incident history and pattern analysis
  • Patch release frequency and quality
  • Vendor security transparency and communication
  • Alternative vendor options and switching costs

Continuous Monitoring:

  • Subscribe to vendor security advisories
  • Monitor security news for vendor mentions
  • Track CVE disclosures for vendor products
  • Participate in threat intelligence sharing

Contractual Requirements:

  • Security incident notification timelines
  • Patch release service level agreements
  • Access to security documentation and testing
  • Liability and insurance requirements

2. Assume Breach Architecture:

Segmentation:

  • Isolate third-party appliances from critical systems
  • Implement network segmentation to limit lateral movement
  • Use micro-segmentation for sensitive data environments
  • Deploy jump boxes for administrative access

Least Privilege:

  • Limit privileges for third-party appliances
  • Implement just-in-time access for administrative functions
  • Use separate accounts for different privilege levels
  • Regularly review and revoke unnecessary permissions

Monitoring and Detection:

  • Deploy endpoint detection and response (EDR) where possible
  • Implement network traffic analysis
  • Use security information and event management (SIEM) for correlation
  • Establish baseline behavior and alert on deviations

3. Incident Response Readiness:

Vendor Compromise Playbook: Develop specific playbooks for vendor security incidents:

  1. How to rapidly assess if your organization is affected
  2. Emergency patching procedures and approval processes
  3. Forensic investigation procedures for vendor products
  4. Communication plans for stakeholders and customers
  5. Business continuity if vendor products must be isolated

Rapid Response Capabilities:

  • Pre-approved emergency change processes
  • On-call security team with clear escalation paths
  • Relationships with forensic firms for complex incidents
  • Tested backup and recovery procedures

Communication Plans:

  • Internal stakeholder notification procedures
  • Customer notification templates (if applicable)
  • Regulatory reporting requirements and timelines
  • Public relations strategy for breach disclosure

The Bigger Picture: Regulatory Humility

Perhaps the most important lesson from the Dutch AP breach is the need for regulatory humility—an acknowledgment that perfect security is impossible and that even regulators themselves face the same challenges as the organizations they oversee.

What This Means for Privacy Regulation

1. Reasonable Standards: Privacy regulations should expect reasonable security measures, not perfect security. Organizations that implement industry best practices, respond quickly to incidents, and continuously improve should not face punitive enforcement even when breaches occur.

2. Supply Chain Reality: Regulators must acknowledge that organizations have limited control over third-party vendor security. Regulatory frameworks should focus on vendor selection due diligence, rapid patch deployment, and incident response rather than absolute prevention.

3. Transparency Over Perfection: Organizations that quickly detect, disclose, and respond to breaches should be viewed more favorably than those that maintain perfect compliance records but have unknown security posture. The AP’s own transparent disclosure of its breach demonstrates this principle.

4. Practical Guidance: Regulators should provide practical, actionable guidance based on real-world threats rather than theoretical compliance requirements. The AP’s experience with Ivanti zero-days provides valuable insight into the challenges organizations face.

Conclusion: We’re All in This Together

The breach of the Dutch Data Protection Authority serves as a humbling reminder that cybersecurity is hard for everyone. No organization—regardless of mission, resources, or expertise—is immune to sophisticated attacks exploiting zero-day vulnerabilities.

Rather than viewing this incident as evidence of hypocrisy or regulatory failure, we should recognize it as proof that:

The threat landscape is genuinely challenging for all organizations
Supply chain security risks are universal and difficult to mitigate
Rapid response and transparency matter more than perfection
Regulators and regulated organizations face the same fundamental challenges

The Dutch AP’s experience should inform more realistic, practical approaches to privacy regulation and cybersecurity expectations. By acknowledging the genuine difficulty of defending against sophisticated attacks, we can build regulatory frameworks that encourage transparency, reward good security practices, and focus on resilience rather than perfection.

The real question isn’t whether organizations will be breached—it’s whether they’ll detect it quickly, respond effectively, and learn from the experience.

In that regard, the Dutch AP appears to be doing exactly what they would expect from organizations they regulate: detecting, disclosing, and responding. And that’s a model worth following.

Additional Resources

For Privacy Officers:

  • GDPR Breach Notification Requirements
  • Dutch AP Breach Notification Guidelines
  • EU Data Protection Board Guidance

For Security Teams:

  • Ivanti Security Advisories (CVE-2026-1281, CVE-2026-1340)
  • NCSC-NL Threat Intelligence Updates
  • CISA Ivanti Vulnerability Guidance

For Risk Management:

  • Third-Party Risk Management Framework
  • Vendor Security Assessment Templates
  • Supply Chain Security Best Practices

This article is based on public reporting from DataBreaches.net, The Register, NCSC-NL, and official Dutch government disclosures. Organizations concerned about Ivanti vulnerabilities should consult directly with Ivanti and their security vendors.