The Nova ransomware group has claimed responsibility for a cyberattack against the University of Valencia (uv.es), one of Spain's oldest and largest public academic institutions. The claim, posted to Nova's leak site on May 23, 2026, alleges the exfiltration of sensitive data including personal photographs of children and "embarrassing" personal information belonging to students and staff. No data samples or volume figures have been provided, leaving the claim unverified at this time.
What Happened
On May 23, 2026, the threat actor known as Nova published a post on its dark web leak site claiming to have breached the University of Valencia's servers and exfiltrated sensitive data. The post invites the university to contact Nova's "support department" to begin negotiations and notably states the group will "discuss the status with our Management Team about the kids photos," suggesting an attempt to use particularly sensitive material as leverage. Yazoul Security observed and captured the claim post but has not independently verified its authenticity. The University of Valencia has not, at the time of this writing, issued any public confirmation or denial.
What Was Taken
Nova has not published data samples, file trees, or volume estimates to substantiate its claim. According to the leak site post, the allegedly exfiltrated dataset includes:
- Personal photographs of children, potentially sourced from university-affiliated daycare programs, family services, or research involving minors
- "Embarrassing" personal data belonging to students and staff
- Unspecified sensitive files extracted from university servers
The explicit reference to imagery of minors is unusual and, if substantiated, would significantly elevate the legal and ethical stakes of any breach. Without proof artifacts, the true scope, sensitivity, and authenticity of the stolen data remain unverifiable.
Why It Matters
Spanish public universities hold large volumes of personal data covering students, faculty, research subjects, and affiliated minors through campus services. A confirmed breach at an institution the size of Valencia would have implications for GDPR enforcement, given the special category of data potentially involved, and would likely trigger Agencia Española de Protección de Datos (AEPD) scrutiny. Beyond regulatory exposure, the alleged inclusion of imagery of minors would represent a severe reputational and child-safeguarding crisis. The episode also highlights how lesser-known ransomware brands continue to target higher education, a sector long-recognized as under-resourced relative to its attack surface.
The Attack Technique
Nova is a relatively obscure ransomware operation with limited public attribution. Its tools, tactics, and procedures are not well-documented in open-source intelligence, no public YARA rules or detection signatures are currently associated with the group, and its total confirmed victim count is unknown. The group has not disclosed an initial access vector, encryption tooling, or post-exploitation behavior in connection with this incident. Its operational tradecraft on the leak site itself appears immature, with no proof samples, no data directory, and emotionally loaded framing that is consistent with low-credibility extortion attempts. Analysts should treat the claim with heightened skepticism until verification artifacts emerge.
What Organizations Should Do
- Higher education institutions, particularly Spanish public universities, should review external-facing services, VPN appliances, and identity providers for indicators of compromise and recent suspicious authentication activity.
- Audit storage locations holding imagery or records related to minors (daycare, summer programs, pediatric research) and ensure access is segmented, logged, and protected by strong authentication.
- Validate offline, immutable backups for student information systems, HR data, and research repositories, and rehearse restoration procedures.
- Confirm GDPR breach-notification playbooks are current, including pre-drafted communications to the AEPD and affected data subjects, with specific handling for special-category data.
- Monitor Nova's leak site for follow-up posts, sample drops, or escalation that would shift this from an unverified claim to a confirmed incident.
- Share any related indicators or tradecraft observations with sector ISACs and national CERTs, including INCIBE-CERT in Spain.
Sources: University of Valencia Ransomware Attack by Nova (May 2026)