European Union probes cyberattack on mobile device management systems after limited staff data exposure

European Union officials are investigating a cybersecurity incident after attackers breached systems used to manage staff mobile devices, potentially exposing limited personal data but not compromising the devices themselves.

The European Commission, the EU’s executive branch, confirmed that it detected traces of a cyberattack on Jan. 30, 2026, within its central mobile device management infrastructure. The intrusion was identified by CERT-EU, the cybersecurity team responsible for protecting EU institutions, bodies, and agencies. Officials said the affected systems were contained and cleaned within nine hours of detection.

The Commission said the incident may have resulted in unauthorized access to staff names and mobile phone numbers belonging to a limited number of employees. No compromise of mobile devices was detected, and operations were restored after remediation measures were completed.

Authorities have not disclosed how attackers gained access to the management platform or identified the specific technology involved. The investigation remains ongoing, and the Commission said it continues to monitor the situation while strengthening internal security controls.

The breach occurred amid a broader wave of attacks targeting mobile device management platforms across Europe’s public sector. Around the same period, authorities in the Netherlands confirmed intrusions at the Dutch Data Protection Authority and the Council for the Judiciary. In those cases, attackers accessed employee names, work email addresses, and telephone numbers after exploiting vulnerabilities in mobile device management software used to administer government-issued devices.

Finland also reported a related incident, with the state IT services provider Valtori disclosing a breach affecting its mobile device management service that could involve up to 50,000 users.

Cybersecurity authorities have linked the incidents to critical code injection vulnerabilities in widely deployed mobile device management software, identified as CVE-2026-1281 and CVE-2026-1340. The flaws allow unauthenticated remote attackers to execute arbitrary code on unpatched servers, effectively granting full administrative control. Security agencies warned that active exploitation had occurred before patches were widely available and advised organizations to assume compromise, rotate credentials, and closely monitor for lateral movement.