Major data breach hits Custodial Institutions Agency, staff details exposed

A data breach has compromised the personal details of employees at the Custodial Institutions Agency (DJI). According to a spokesperson, who responded after reports by Argos, the leaked information consists of staff email addresses, telephone numbers, and security certificates.

At the beginning of the month, the Dutch Data Protection Authority (AP) and the Council for the Judiciary (Raad voor de rechtspraak) disclosed a data breach caused by a security flaw at ICT supplier Ivanti. Authorities have since confirmed that the DJI was likewise impacted.

Reporting by Argos indicates that hackers were inside DJI’s internal network for no less than five months and could potentially still retain access. By taking advantage of a security flaw in Ivanti Endpoint Manager Mobile, a platform for centrally controlling business smartphones, laptops, and tablets, the attackers were able to do more than just access information. They could also remotely control or erase devices.

“The cause of the data breach and cyber incident is currently under investigation,” the DJI spokesperson said. The National Cyber Security Centre (NCSC) has been notified.

State Secretary Claudia van Bruggen of D66 indicated that little information can yet be shared about the incident. Speaking ahead of the Cabinet meeting, she said the situation is concerning given the government’s duty to protect its employees, while emphasizing that DJI personnel face no danger from the breach.

With a workforce of 16,000, the DJI operates 50 facilities throughout the Netherlands, including prisons, youth detention centers, and tbs clinics.

Authorities have not yet confirmed whether the attackers were able to access mobile device location data. Because such data is typically stored in the breached database, DJI has instructed staff to switch off location tracking on their devices as a precaution.