The Dutch Data Protection Authority (AP) and the Council of Justice in the Netherlands have acknowledged that the two agencies (Rvdr) have revealed that their systems were affected by a cyberattack that exploited a recently disclosed security flaw in Ivanti Endpoint Manager Mobile (EPMM), according to a notice sent to the country’s parliament on Friday.
Dutch authorities announced, “On January 29, the National Cyber Security Center (NCSC) received a notification from a supplier of a vulnerability in EPMM.” “EPMM is used to manage mobile devices, apps, and content, including security.”
“We discovered that AP employees’ work-related data, including their names, work email addresses, and phone numbers, had been accessed by unauthorized parties.”
The move comes as the European Commission also revealed that its central infrastructure for managing mobile devices had identified “signs” of a cyberattack that may have led to access to the names and mobile phone numbers of some staff. The commission announced that the incident was contained within nine hours and no compromise of mobile devices was detected.
“The Commission takes the security and resiliency of its internal systems and data seriously and will continue to monitor the situation,” it added. “We will take all necessary steps to ensure the security of our systems.”
The vendor name has been identified, and details about how the attackers gained access have not been disclosed, but it is suspected to be associated with malicious activity exploiting flaws in Ivanti EPMM.
Valtori, Finland’s state-run information and communications technology provider, also disclosed a breach that exposed the work-related details of up to 50,000 government employees. The incident, confirmed on January 30, 2026, targeted a zero-day vulnerability in a mobile device management service.
The agency said the patch was installed on January 29, 2026, the same day Ivanti released fixes for CVE-2026-1281 and CVE-2026-1340 (CVSS score: 9.8), which could be exploited by an attacker to execute unauthenticated remote code. Ivanti revealed that this vulnerability was exploited as a zero-day.
The attackers allegedly accessed information used to operate the service, including names, work emails, phone numbers, and device details.
“Our investigation revealed that the management system did not permanently delete the deleted data, but merely marked it as deleted,” it said. “As a result, data for devices and users belonging to all organizations that used the service during its lifecycle may have been compromised. In some cases, there may be multiple users on a single mobile device.”
Source link
