The Watchdog Got Hacked: Dutch Data Protection Authority Leaks Its Own Employees' Data

The Dutch Data Protection Authority, literally the organization tasked with making sure everyone else handles personal data correctly, just leaked the personal information of its own employees. Names, official email addresses, and phone numbers – all accessed by unauthorized parties through a software vulnerability that's been actively exploited for weeks.

If there was ever a moment that captures why people are skeptical about uploading their government IDs for age verification, this is it.

When the Privacy Police Can't Keep Their Own Data Safe

Last week, Dutch state secretaries confirmed that employee data from both the Dutch Data Protection Authority (AP) and the Council for the Judiciary was accessed by unauthorized parties. The breach happened through a vulnerability in Ivanti Endpoint Manager Mobile software used to manage mobile devices across government agencies.

The irony of the situation isn’t lost on anyone. The AP enforces GDPR compliance and issues massive fines for mishandling personal data. Now they're reporting their own leak to... themselves. The Council for the Judiciary discovered the breach first and notified the AP, which then had to formally report its own data leak to its internal data protection officer.

It's unclear how many employees were affected. But the timing couldn't be worse. These vulnerabilities (CVE-2026-1281 and CVE-2026-1340) were disclosed January 29, with active exploitation confirmed before disclosure. Patches were released, and CISA gave federal agencies just three days to fix the problem.

The organization responsible for data protection didn't prioritize patching a critical vulnerability in its own systems. This is who we are supposed to be trusting.

An Old Vulnerability, A Fresh Embarrassment

This isn't Ivanti's first rodeo. The same software has been exploited repeatedly, in 2023, again in 2025, and now this. Public proof-of-concept exploits were available within 24 hours of disclosure.

The vulnerability allowed unauthenticated attackers to inject code and achieve remote execution. If you didn't patch immediately, anyone could walk right in. And when they did, they got access to names, emails, phone numbers, and potentially device data, including GPS locations.

This is the kind of data breach that happens when organizations don't take security seriously. If only there was some other organization to make sure they do…

The Age Verification Irony’s Best Example

All across Europe, governments are rolling out age verification laws requiring people to upload driver's licenses, passports, or submit to biometric facial scans just to access legal content online. The UK's Online Safety Act kicked in last year, and similar laws are spreading fast everywhere.

But here's the Dutch Data Protection Authority, the actual regulatory body enforcing these protections, getting hacked through a known vulnerability they failed to patch. If the privacy watchdog can't secure basic employee contact information, why should anyone believe thousands of platforms and third-party age verification vendors will keep millions of government IDs safe?

Every time we hand over sensitive documents, we're creating another honeypot. And the organizations holding these databases have proven repeatedly they can't be trusted to keep them secure.