Summary#
The DJI (Dienst Justitiële Inrichtingen), the Dutch prison and custodial agency responsible for inmate management and staff safety, suffered a major cybersecurity failure that exposes the fragility of Dutch government IT. Hackers maintained Remote Code Execution (RCE) access for five months, trading the safety of 16,000 justice officials for operational neglect. This breach goes beyond a simple data leak: attackers exploited Ivanti EPMM to execute arbitrary code, effectively taking control of devices rather than merely accessing data. Experts agree that patches alone are insufficient; the systems must be considered compromised, and a full rebuild is the only safe path.
The Hypocrisy of the Watchdog#
The irony deepens when we consider that the Autoriteit Persoonsgegevens (AP) fell victim to the exact same Ivanti flaw. How can the AP credibly fine private companies for “insufficient security” when it fails to protect its own infrastructure from a known vulnerability? This isn’t merely an IT failure; it is a failure of institutional accountability.
Institutional Neglect and the Culture of ‘MicroSLOP’#
The human consequences are immediate: directives and prison staff are now at risk of blackmail. DJI’s advice to staff to “turn off location data” does nothing to mitigate five months of historical tracking. Beyond this, the organization’s culture—dubbed “MicroSLOP” by industry peers—prioritizes low-quality, high-maintenance enterprise software over resilient, secure architecture, leaving systemic vulnerabilities unaddressed.
Professional Reality#
This pattern is familiar across Dutch institutions, including RIVM. Leadership often remains in “Plato’s Cave,” fixated on compliance metrics while real servers burn. Warnings are ignored, promises are broken, and surprise follows predictably when supposedly secure systems are compromised.
Final Verdict#
If you cannot secure the people who secure prisoners, you have lost control. DJI’s top management and AP leadership must be held accountable. No more “zorgelijke situatie” press releases—resignations are warranted. In cases of deep compromise, patching is not enough; the only solution is to burn it down and start over. Yet in Den Haag, the likely response will be to invest in more “MicroSLOP.”