Major data breach hits Custodial Institutions Agency, staff details exposed

A Dutch government agency responsible for prisons and detention facilities has suffered a significant cyber incident that exposed internal staff data, raising security and safety concerns for employees.

What happened

• The breach hit the Custodial Institutions Agency (Dienst Justitiële Inrichtingen, DJI), part of the Dutch Ministry of Justice and Security.

• Hackers reportedly had unauthorized access to DJI systems for about five months before the issue was discovered.​

• The incident is being treated as a serious security matter because staff work directly with detainees and other high‑risk populations.​

What data was exposed

• The leaked information includes staff email addresses, telephone numbers, and security certificates belonging to employees.

• No confirmation so far that home addresses, national IDs, or bank details were compromised, but officials have not ruled out further findings as the investigation continues.

• Security certificates in particular could potentially be abused to impersonate internal services or users if not promptly revoked.

How attackers got in and how long

• Public reporting indicates the attackers maintained access to DJI’s network for roughly five months before detection.​

• Separate technical commentary circulating online suggests the compromise may be linked to exploitation of known vulnerabilities in Ivanti software used in government environments, though DJI has not publicly detailed the exact entry vector.

• The length of access raises the possibility of additional internal reconnaissance or data exfiltration beyond what is currently confirmed.​

Risks and impact

• Staff could face heightened risks of harassment, extortion, or blackmail because of their roles in prison and custodial operations.​

• Exposure of internal contact details and certificates may enable targeted phishing, business email compromise, or attempts to pivot into other justice or security systems.

• The incident comes amid a broader pattern of attacks on European justice and critical‑infrastructure bodies, underscoring ongoing weaknesses in legacy government IT.

Response so far

• DJI has notified affected employees and is working with authorities and security experts to investigate and contain the breach.

• Revocation and replacement of impacted security certificates is expected, along with additional monitoring for misuse of staff contact data.

• Dutch media and specialist cyber‑threat monitors are treating this as a high‑sensitivity case because any compromise of justice‑system personnel can have downstream implications for prisons and courts.