DUTCH authorities disclosed that attacks exploiting Ivanti Endpoint Manager Mobile (EPMM) flaws exposed work-related contact data for staff at the Dutch Data Protection Authority (AP) and the Council for the Judiciary (Rvdr). The incidents were reported to parliament after the National Cyber Security Centre (NCSC) was alerted on 29 January when the vendor disclosed the vulnerabilities, and attackers accessed names, work email addresses and telephone numbers.
On 30 January the European Commission detected a cyberattack on its mobile device management system, with the organisation saying no mobile devices were compromised and the incident was contained within nine hours; CERT-EU is investigating the security breach. According to the European Commission, attackers could use the stolen data to launch targeted vishing and phishing attacks by impersonating colleagues or officials, enabling reconnaissance for spear phishing or physical targeting of key personnel.
Authorities have informed affected employees, while the NCSC continues to monitor the issue for any wider impact across government systems.