Data Protection Authority in hot water: personal info leaked amidst security oversight

A data breach has exposed the personal information of employees at the Dutch Data Protection Authority (AP) and the Council for the Judiciary, according to state secretaries Arno Rutte and Eddie van Marum. In a letter to parliament, the state secretaries said it has now been established with the AP that work-related details, including names, official email addresses, and phone numbers, were viewed by unauthorized parties.

It remains unclear how many employees were affected; a ministry spokesperson said this is still being investigated. The incident is especially sensitive given that the AP is tasked with safeguarding personal data.

Staff at both organizations have been notified of the incident. The Council for the Judiciary informed the AP about the breach, after which the AP reported its own data leak to the organization’s internal data protection officer and with it's own reporting point.

The data leak resulted from the exploitation of a vulnerability in Ivanti Endpoint Manager Mobile, software used to manage and secure mobile devices, applications, and information. The National Cyber Security Centre (NCSC) was notified of the vulnerabilities last week.

A spokesperson for Arno Rutte said it cannot be ruled out that additional organizations were affected by breaches linked to vulnerability. “This is under investigation, and we don’t yet know,” she said, adding that multiple government agencies use the software.