Full Report
Staff data belonging to the regulator and judiciary's governing body accessed The Dutch Data Protection Authority (AP) says it was one of the many organizations popped when attackers raced to exploit recent Ivanti vulnerabilities as zero-days.…
Analysis Summary
# Incident Report: Ivanti EPMM Zero-Day Exploitation Against Dutch Regulator
## Executive Summary
The Dutch Data Protection Authority (AP) confirmed it was compromised as part of widespread exploitation of zero-day vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM) software. Attackers gained access on January 29, 2026, resulting in the potential exposure of personal data belonging to AP and the Council for the Judiciary (RVDR) staff. Response actions included direct notification of affected individuals and internal/external investigations by multiple Dutch agencies.
## Incident Details
- Discovery Date: Sometime between January 29 and February 9, 2026 (Confirmed via parliamentary letter on Feb 9, 2026)
- Incident Date: January 29, 2026
- Affected Organization: Dutch Data Protection Authority (AP) and the Council for the Judiciary (RVDR)
- Sector: Government / Regulatory Oversight
- Geography: Netherlands
## Timeline of Events
### Initial Access
- Date/Time: January 29, 2026
- Vector: Exploitation of Ivanti Endpoint Manager Mobile (EPMM) zero-day vulnerabilities (CVE-2026-1281 and CVE-2026-1340).
- Details: Attackers exploited the vulnerabilities before vendor patches were widely available, targeting internet-facing EPMM devices.
### Lateral Movement
- **Details:** Not explicitly detailed in the summary, but the impact suggests successful network compromise beyond the initial entry point.
### Data Exfiltration/Impact
- Attackers accessed staff data belonging to the regulator (AP) and the judiciary's governing body (RVDR).
- Potentially accessed data includes names, business email addresses, and phone numbers of affected employees.
### Detection & Response
- **How it was discovered:** The incident was confirmed via a letter to the Dutch parliament by Justice Secretary Arno Rutte on February 9, 2026.
- **Response actions taken:** Affected individuals were directly notified. The AP's usual staff began investigating the breach at RVDR (which self-reported). The NCSC-NL is monitoring the vulnerabilities (CVE-2026-1281 and CVE-2026-1340) and collaborating with partners. The CIO Rijk is assessing broader government risk.
## Attack Methodology
- **Initial Access:** Exploitation of Ivanti EPMM zero-day vulnerabilities (CVE-2026-1281 and CVE-2026-1340).
- **Persistence:** Not detailed.
- **Privilege Escalation:** Not detailed.
- **Defense Evasion:** Not detailed, but successful exploitation of zero-days implies initial evasion.
- **Credential Access:** Not detailed.
- **Discovery:** Not detailed.
- **Lateral Movement:** Not detailed, but implied by scope of data access across two entities.
- **Collection:** Gathering of staff personal data (names, emails, phone numbers).
- **Exfiltration:** Data transmission from the compromised systems.
- **Impact:** Unauthorized access and data breach of sensitive employee information.
## Impact Assessment
- **Financial:** Not disclosed.
- **Data Breach:** Personal data (names, business email addresses, phone numbers) belonging to staff of the AP and RVDR. Scale in terms of specific numbers not disclosed.
- **Operational:** Investigation required by multiple governmental bodies (AP, NCSC-NL, CIO Rijk).
- **Reputational:** Public confirmation via parliamentary correspondence, impacting the integrity of the data protection and judicial oversight bodies.
## Indicators of Compromise
- **Network indicators (defanged):** N/A provided in the text.
- **File indicators:** N/A provided in the text.
- **Behavioral indicators:** Network activity associated with exploitation of Ivanti EPMM (CVE-2026-1281/1340) prior to patch application on January 29, 2026.
## Response Actions
- **Containment measures:** Implied need to patch/isolate vulnerable Ivanti EPMM instances (as advised by external experts). Organizations exposing vulnerable instances prior to disclosure needed to "tear down infrastructure."
- **Eradication steps:** Investigation and remediation efforts led by AP staff regarding the RVDR breach, coordinated monitoring by NCSC-NL.
- **Recovery actions:** Direct notification of all affected individuals.
## Lessons Learned
- **Key takeaways:** Internet-facing edge devices (like EPMM) are highly attractive targets for rapid exploitation ("zero-day hunting"). Patching alone is insufficient if exploitation occurs immediately upon disclosure or prior to patching.
- **What could have been done better:** Organizations using internet-exposed critical systems must preemptively assume compromise once zero-day exploitation is confirmed in the wild and initiate IR processes immediately, rather than waiting for full vendor confirmation or patch deployment.
## Recommendations
- Organizations utilizing or managing Ivanti EPMM systems should verify whether vulnerable instances were exposed to the internet prior to patch deployment and execute comprehensive compromise assessment procedures.
- Implement accelerated patching/segmentation strategies for all internet-facing edge infrastructure devices.
- Enhance monitoring specifically targeting known vulnerability exploit patterns for Ivanti products and similar perimeter devices.