An investigation by the radio program Argos revealed that hackers maintained access to data from the Dutch prison agency DJI for a minimum of five months. During this period, cyber criminals compromised staff contact details and security certificates, potentially exposing employees to risks of extortion while investigations continue into the full extent of device and location data access.

A recent investigation conducted by the radio program Argos has uncovered a significant security breach within the Dutch prison agency, DJI, where hackers reportedly held access to internal systems for at least five months. During this period, unauthorized actors were able to view sensitive information including the email addresses, phone numbers, and security certificates of agency staff members. This exposure has raised serious concerns regarding the safety of employees, as the availability of such personal data increases the likelihood of targeted extortion or blackmail attempts.

Beyond the theft of contact information, the National Cyber Security Centre (NCSC) reported that the hackers successfully infiltrated various hardware devices, including smartphones, tablets, and laptops. While the intrusion is confirmed, authorities are still working to determine whether the hackers gained complete access to the private data stored on these individual devices. A spokesperson for the DJI has notably declined to confirm whether the security gap has been fully closed or if the hackers might still possess active access to the agency’s internal infrastructure.

One of the primary remaining uncertainties involves whether the hackers were able to track the real-time location data of agency personnel. Due to the sensitive nature of prison operations and the potential for staff to be targeted outside of work, the agency has issued an advisory to all employees to disable location services on their professional devices. This precautionary measure highlights the gravity of the breach and the potential physical security risks posed to those working within the Dutch judicial system.

The timeline of the breach suggests that while the access lasted for months, DJI staff were only officially notified of the situation on February 12. The leak was analyzed by a specialized external security firm as part of the Argos investigation, which eventually brought the details to public light. This delay in communication and the reliance on an external probe to identify the duration of the hack suggest complexities in how the agency managed the initial discovery of the intrusion.

A spokeswoman for the DJI later confirmed the incident to the broadcaster NOS, clarifying that this breach was not an isolated event but rather part of a broader coordinated attack. Several other prominent Dutch government entities were also targeted, including the judiciary council and the primary privacy watchdog, Autoriteit Persoonsgegevens. Currently, the National Cyber Security Centre is monitoring the ongoing situation while investigators attempt to pinpoint the exact cause of the leak and the full scope of the compromised information.

Source: Hackers Accessed Prison Staff Data For Five Months Before Detection