Full Report
APA reports: Personal data of employees of the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, AP) and the Council for Justice was accessed by unauthorized persons as a result of a leak caused by a vulnerability in software used by government agencies, APA reports citing ANP news agency. According to the agency, a bug in Ivanti Endpoint Manager... Source
Analysis Summary
# Incident Report: Vulnerability Exploitation in Ivanti EPM Leads to Dutch Government Data Leak
## Executive Summary
Unauthorized actors exploited a vulnerability within Ivanti Endpoint Manager (EPM) software utilized by Dutch government agencies, including the Data Protection Authority (AP) and the Council for Justice. This incident resulted in the unauthorized access and potential compromise of the personal data of employees from these organizations. The response is ongoing as the scope of the compromise is being assessed following the initial detection of the vulnerability's exploitation.
## Incident Details
- Discovery Date: Not explicitly stated (Implied discovery leading to the report on Feb 7, 2026)
- Incident Date: Occurred prior to reporting date (Feb 7, 2026)
- Affected Organization: Dutch Data Protection Authority (Autoriteit Persoonsgegevens, AP) and the Council for Justice.
- Sector: Government/Public Administration
- Geography: Netherlands
## Timeline of Events
### Initial Access
- Date/Time: Unknown, prior to February 7, 2026 report.
- Vector: Software Vulnerability (Bug) in Ivanti Endpoint Manager Mobile software.
- Details: A flaw in the Ivanti EPM software granted third-party users unauthorized access to systems.
### Lateral Movement
- Details: Not explicitly detailed in the provided context, but the unauthorized access likely allowed for movement within the affected endpoints or servers managed by EPM.
### Data Exfiltration/Impact
- Details: Personal information belonging to employees, including names, email addresses, and phone numbers, was accessed by unauthorized persons.
### Detection & Response
- Details: Detection was triggered by reporting from APA, which cited ANP news agency. Response actions by the affected agencies are implied but not detailed beyond the acknowledgement of the breach.
## Attack Methodology
*Note: Specific MITRE ATT&CK techniques are inferred based on the described vector.*
- Initial Access: **T1190** (Exploit Public-Facing Application - specifically the Ivanti EPM software).
- Persistence: Not detailed.
- Privilege Escalation: Not detailed, but default access gained via the vulnerability may have granted sufficient rights.
- Defense Evasion: Not detailed.
- Credential Access: Not detailed.
- Discovery: Likely occurred post-exploitation to identify employee records.
- Lateral Movement: Not detailed.
- Collection: Gathering of employee personal data (names, emails, phone numbers).
- Exfiltration: Likely occurred after data collection.
- Impact: Data exposure/theft.
## Impact Assessment
- Financial: Not available.
- Data Breach: Personal data of employees (Names, email addresses, phone numbers) from AP and the Council for Justice.
- Operational: Potential disruption to government operations due to necessary security remediation, though not specified.
- Reputational: Significant reputational damage for the affected Dutch government bodies handling sensitive data.
## Indicators of Compromise
- *No specific IoCs (IPs, domains, hashes) were provided in the source text.*
- Behavioral Indicators: Unauthorized access originating from external entities leveraging the Ivanti EPM vulnerability.
## Response Actions
- Containment measures: Implied actions would include patching the vulnerable Ivanti EPM instance and isolating affected systems, though not explicitly confirmed.
- Eradication steps: Not detailed.
- Recovery actions: Not detailed.
## Lessons Learned
- Criticality of Third-Party Software Patch Management: The incident highlights the severe risk posed by unpatched vulnerabilities in widely deployed third-party management software like EPM.
- Supply Chain Risk: Reliance on external software components introduces significant risk that affects multiple downstream organizations simultaneously.
## Recommendations
- **Immediate Patching:** Agencies must immediately apply patches or mitigations released by Ivanti for all versions of Endpoint Manager software.
- **Asset Inventory & Segmentation:** Maintain a comprehensive, real-time inventory of all software, especially externally facing management tools, and ensure network segmentation to limit the impact of a compromise.
- **Vendor Risk Management:** Increase scrutiny and auditing processes for security updates and vulnerabilities related to critical third-party software vendors.