Hackers had access to data from the Dutch prisons agency DJI for at least five months, according to an investigation by radio programme Argos.

Cyber criminals could see e-mail addresses, phone numbers and security certificates of staff at the agency, Argos said, which may increase the risk of extortion or blackmail.

The hackers also hacked into phones, tablets and laptops but it is not yet clear if they had complete access to the data on them, the national cyber security centre NCSC said. A spokesman for the DJI would not confirm if the hackers still have access to the systems.

Another unknown is whether the hackers were able to access location data. The agency has advised staff to disable the location function on their devices.

The leak was investigated by a “specialised company”, Argos said, and DJI staff were told on February 12.

A DJI spokeswoman confirmed the leak to broadcaster NOS and said it was part of a hack of several government agencies, including privacy watchdog Autoriteit Persoonsgegevens (AP) and the judiciary council Raad voor de Rechtspraak.

The cause of the data leak is being investigated, and the NCSA is monitoring the situation, she said.