Dutch Police Link Officer Data Breach to State Actor Amid Cybercrime Crackdown
Dutch police said a recent breach exposing personal data of officers was likely carried out by a state actor, reviving concerns first raised in an earlier case in which authorities suspected a foreign government was behind the theft of Dutch police personnel data. Reporting indicates the compromised information involved police employee details, and officials treated the intrusion as a serious national-security matter because of the potential risks to officers and ongoing investigations.
Separately, Dutch police announced they had dismantled a major cybercriminal forum in an international operation, underscoring a broader push against both espionage-linked intrusions and financially motivated cybercrime. The takedown was presented as a coordinated global law-enforcement action against a prominent criminal platform, while the data-breach investigation highlighted the parallel threat posed by hostile states targeting sensitive law-enforcement information.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
Dutch police dismantle major cybercriminal forum in global operation
Dutch police announced they had taken down a major cybercriminal forum as part of a worldwide law enforcement action. The operation represented a separate enforcement event involving disruption of cybercrime infrastructure.
Dutch police say a state actor is likely behind the breach
Dutch police later said the recent data breach was likely carried out by a state actor, updating the suspected attribution of the incident. This marked a significant development beyond the initial disclosure of stolen officer data.
Dutch police disclose theft of officers' personal data
Dutch police disclosed that personal data belonging to police officers had been stolen in a data breach. Early reporting indicated authorities were investigating the incident and its scope.
Sources
3 references tracked. Mallory keeps watching after this page renders.
Politie ontmantelt groot cybercrimineel forum in wereldwijde actie | politie.nl
politie.nl
Open sourceDutch Police: ‘State actor’ likely behind recent data breach
bleepingcomputer.com
Open sourceForeign State Suspected in Theft of Dutch Police Officers' Data
bitdefender.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Dutch Police Data Theft via Compromised Email and M365 Cloud Security Gaps
Dutch police suffered a major data theft attributed to a **Russian cyber group** after attackers gained access via an employee’s **email account** and exfiltrated sensitive personnel information. Stolen data reportedly included the contact details of nearly all **~65,000 police officers**, along with profile photos and other personal data, triggering significant internal unrest and concern about officer safety and privacy. Investigative reporting indicates the organization had been **warned in advance** about security weaknesses relevant to the intrusion path. Documents obtained under the Netherlands’ Open Government/Woo framework describe an internal **November 2022 risk analysis** that raised concerns about the implementation and security of Microsoft’s **M365 cloud** (used for tools such as *Teams*), explicitly noting “inherent” cloud risks and that **state actors** would be highly motivated to access the environment. Following the 2024 theft, police reportedly stood up a heavy crisis response structure (the *Nationale Staf Grootschalig en Bijzonder Optreden*) to reduce immediate risk and implement additional security measures, while political and union voices characterized the incident as severe and questioned why earlier warnings were not acted upon.
Mar 21, 2026
Dutch Police Data Exposure After Mistakenly Sharing Confidential Files With a Civilian
Dutch police arrested a **40-year-old man from Ridderkerk** after he obtained **confidential police documents** due to a police error and then allegedly attempted to leverage possession of the files for something in return. According to police, the man was taken into custody on Thursday evening, his home was searched, and data storage devices were seized to recover the documents and prevent further dissemination; authorities also reported the incident as a **data breach** and said the investigation is ongoing. Reporting indicates the incident began when the man contacted police in connection with a separate matter and was sent a link intended for **uploading** images; instead, an officer mistakenly sent a **download link**, granting access to sensitive materials the recipient was not meant to see. While the man reportedly did not exploit a technical vulnerability or “break in” in a traditional sense, police said he was instructed to stop and delete the material and refused unless he “received something in return,” prompting the arrest and evidence seizure to contain the exposure.
Mar 21, 2026
Dutch Organizations Report Data Breaches and Extended Unauthorized Access
Dutch authorities reported a prolonged compromise at the Dutch prisons agency **DJI**, where attackers reportedly maintained access for at least **five months**. Exposed information included staff **email addresses, phone numbers, and security certificates**, and the Dutch NCSC indicated the intruders also accessed **phones, tablets, and laptops**, though the extent of data access on those endpoints was not confirmed; DJI did not confirm whether access had been fully removed. Separately, Dutch telecom **Odido** disclosed a **data breach followed by an extortion attempt**, after which attackers publicly released about **1M records** (including **317k unique email addresses**) and threatened additional leaks. The published data reportedly included **names, physical addresses, phone numbers, bank account numbers**, and customer-service notes; Odido’s notice also warned that **dates of birth** and government ID numbers (passport/driver’s license) were impacted. A **Canadian Tire** breach entry describes a different incident in Canada (October 2025) involving ~**42M records** with PBKDF2-hashed passwords and some partial payment-card metadata, and is not part of the Netherlands-focused events above.
Mar 21, 2026