Full Report
Dutch News reports: Hackers had access to data from the Dutch prisons agency DJI for at least five months, according to an investigation by radio programme Argos. Cyber criminals could see e-mail addresses, phone numbers and security certificates of staff at the agency, Argos said, which may increase the risk of extortion or blackmail. The hackers... Source
Analysis Summary
# Incident Report: Multi-Month Compromise of Dutch Prisons Agency (DJI)
## Executive Summary
The Dutch custodial institutions agency, **Dienst Justitiële Inrichtingen (DJI)**, suffered a significant data breach where threat actors maintained unauthorized access to internal systems for at least five months. The breach compromised sensitive employee information and physical hardware, posing a high risk of targeted extortion and blackmail against prison staff.
## Incident Details
- **Discovery Date:** February 2026 (Reported)
- **Incident Date:** Ongoing for at least five months prior to discovery
- **Affected Organization:** Dienst Justitiële Inrichtingen (DJI)
- **Sector:** Government / Justice & Public Safety
- **Geography:** Netherlands
## Timeline of Events
### Initial Access
- **Date/Time:** Approximately September/October 2025 (calculated from reporting date)
- **Vector:** Not explicitly disclosed; likely credential compromise or vulnerability exploitation.
- **Details:** Attackers established a persistent presence within the DJI network environment.
### Lateral Movement
- **Details:** Threat actors moved from the initial entry point to systems containing personnel directories and security infrastructure. They successfully compromised mobile devices (phones/tablets) and laptops assigned to staff.
### Data Exfiltration/Impact
- **Details:** Attackers accessed and potentially exfiltrated employee email addresses, phone numbers, and security certificates. They also compromised the integrity of end-user hardware.
### Detection & Response
- **How it was discovered:** Investigative journalism by radio programme *Argos*.
- **Response actions taken:** Involvement of the National Cyber Security Centre (NCSC); ongoing investigation into the extent of file access on mobile devices.
## Attack Methodology
- **Initial Access:** [Unknown/Not Disclosed]
- **Persistence:** Maintained access for a minimum of five months.
- **Privilege Escalation:** Likely achieved to access security certificates and manage mobile devices.
- **Defense Evasion:** Successfully bypassed DJI security monitoring for 150+ days.
- **Credential Access:** Compromised security certificates and staff contact details.
- **Discovery:** Enumerated staff directories and device management systems.
- **Lateral Movement:** Pivoted from central servers to individual endpoint hardware (laptops/phones).
- **Collection:** Gathering of PII (Personally Identifiable Information) and security credentials.
- **Exfiltration:** Potential theft of staff contact lists and digital certificates.
- **Impact:** Compromise of institutional integrity and staff safety.
## Impact Assessment
- **Financial:** Undisclosed; costs associated with hardware replacement and forensic auditing expected to be high.
- **Data Breach:** Compromise of PII (Email, Phone numbers) and cryptographic assets (Security Certificates) for an unknown number of staff.
- **Operational:** Uncertainty regarding whether hackers still maintain active access to systems.
- **Reputational:** High; raises significant concerns regarding the safety of prison staff and the potential for inmate-led extortion.
## Indicators of Compromise
- **Network indicators:** None disclosed in public reporting.
- **File indicators:** None disclosed.
- **Behavioral indicators:** Unauthorized access to "Security Certificates" and unauthorized remote interaction with DJI-managed mobile devices.
## Response Actions
- **Containment measures:** Details categorized as sensitive; NCSC providing guidance.
- **Eradication steps:** Ongoing audit of all staff laptops, tablets, and phones.
- **Recovery actions:** Verification of system integrity (Status: In-Progress).
## Lessons Learned
- **Key takeaways:** Long-term dwell times (5 months) indicate a failure in behavioral monitoring and egress filtering.
- **What could have been done better:** Earlier detection of unauthorized certificate access or unusual patterns in mobile device management (MDM) traffic could have truncated the dwell time.
## Recommendations
- **Prevention:** Implement Multi-Factor Authentication (MFA) across all administrative tiers and rotate all security certificates.
- **Detection:** Deploy Advanced Endpoint Detection and Response (EDR) on all staff laptops and mobile devices to flag unauthorized remote access.
- **Monitoring:** Establish strict logging and alerting for any access to sensitive personnel databases or security certificate stores.