Dutch Police Data Theft via Compromised Email and M365 Cloud Security Gaps
Dutch police suffered a major data theft attributed to a Russian cyber group after attackers gained access via an employee’s email account and exfiltrated sensitive personnel information. Stolen data reportedly included the contact details of nearly all ~65,000 police officers, along with profile photos and other personal data, triggering significant internal unrest and concern about officer safety and privacy.
Investigative reporting indicates the organization had been warned in advance about security weaknesses relevant to the intrusion path. Documents obtained under the Netherlands’ Open Government/Woo framework describe an internal November 2022 risk analysis that raised concerns about the implementation and security of Microsoft’s M365 cloud (used for tools such as Teams), explicitly noting “inherent” cloud risks and that state actors would be highly motivated to access the environment. Following the 2024 theft, police reportedly stood up a heavy crisis response structure (the Nationale Staf Grootschalig en Bijzonder Optreden) to reduce immediate risk and implement additional security measures, while political and union voices characterized the incident as severe and questioned why earlier warnings were not acted upon.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
Follow the Money reveals prior warning before police data theft
Follow the Money reported that Dutch police had been warned about the security weakness exploited in the major 2024 data theft, based on documents obtained under the Open Government Act. The reporting connected the earlier 2022 risk analysis to the later breach and highlighted the sensitivity of the exposed officer data.
Russian hackers steal Dutch police data via employee email account
In September 2024, a Russian cyber group reportedly accessed the Dutch police environment through an employee's email account and exfiltrated a large volume of police data. The stolen information included contact details for nearly all 65,000 police officers, along with profile photos and other personal data.
Dutch police risk analysis warns of M365 cloud security gaps
An internal Dutch police risk analysis reportedly identified implementation and security risks in the police's Microsoft 365 cloud environment, warning that state actors would be especially interested in accessing it. The analysis said the cloud carried inherent risks and raised concerns years before the later breach.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
NL: Police warned about security hole used by Russian hackers in major theft of police data - DataBreaches.Net
databreaches.net
Open sourcePolitie liet ondanks waarschuwing deur open voor Russische hackers - Follow the Money - Platform voor onderzoeksjournalistiek
ftm.nl
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Dutch Police Link Officer Data Breach to State Actor Amid Cybercrime Crackdown
Dutch police said a recent breach exposing personal data of officers was likely carried out by a **state actor**, reviving concerns first raised in an earlier case in which authorities suspected a foreign government was behind the theft of Dutch police personnel data. Reporting indicates the compromised information involved police employee details, and officials treated the intrusion as a serious national-security matter because of the potential risks to officers and ongoing investigations. Separately, Dutch police announced they had dismantled a major cybercriminal forum in an international operation, underscoring a broader push against both espionage-linked intrusions and financially motivated cybercrime. The takedown was presented as a coordinated global law-enforcement action against a prominent criminal platform, while the data-breach investigation highlighted the parallel threat posed by hostile states targeting sensitive law-enforcement information.
May 25, 2026
Dutch Police Data Exposure After Mistakenly Sharing Confidential Files With a Civilian
Dutch police arrested a **40-year-old man from Ridderkerk** after he obtained **confidential police documents** due to a police error and then allegedly attempted to leverage possession of the files for something in return. According to police, the man was taken into custody on Thursday evening, his home was searched, and data storage devices were seized to recover the documents and prevent further dissemination; authorities also reported the incident as a **data breach** and said the investigation is ongoing. Reporting indicates the incident began when the man contacted police in connection with a separate matter and was sent a link intended for **uploading** images; instead, an officer mistakenly sent a **download link**, granting access to sensitive materials the recipient was not meant to see. While the man reportedly did not exploit a technical vulnerability or “break in” in a traditional sense, police said he was instructed to stop and delete the material and refused unless he “received something in return,” prompting the arrest and evidence seizure to contain the exposure.
Mar 21, 2026
Dutch Organizations Report Data Breaches and Extended Unauthorized Access
Dutch authorities reported a prolonged compromise at the Dutch prisons agency **DJI**, where attackers reportedly maintained access for at least **five months**. Exposed information included staff **email addresses, phone numbers, and security certificates**, and the Dutch NCSC indicated the intruders also accessed **phones, tablets, and laptops**, though the extent of data access on those endpoints was not confirmed; DJI did not confirm whether access had been fully removed. Separately, Dutch telecom **Odido** disclosed a **data breach followed by an extortion attempt**, after which attackers publicly released about **1M records** (including **317k unique email addresses**) and threatened additional leaks. The published data reportedly included **names, physical addresses, phone numbers, bank account numbers**, and customer-service notes; Odido’s notice also warned that **dates of birth** and government ID numbers (passport/driver’s license) were impacted. A **Canadian Tire** breach entry describes a different incident in Canada (October 2025) involving ~**42M records** with PBKDF2-hashed passwords and some partial payment-card metadata, and is not part of the Netherlands-focused events above.
Mar 21, 2026