Spain’s Ministry of Science, Innovation and Universities partially shut down its “electronic headquarters,” suspending administrative procedures and disrupting citizen- and company-facing services after reporting a “technical incident” under assessment. A threat actor using the alias GordonFreeman claimed responsibility, posted alleged proof-of-breach samples on underground forums, and offered purportedly stolen data for sale; the samples were described as including personal records, email addresses, enrollment applications, and screenshots of official documents, with the actor alleging exploitation of a critical IDOR flaw to obtain valid credentials.
Separately, Spain’s Ministry of Finance (Ministerio de Hacienda y Función Pública) faced an unverified data-breach claim from a threat actor calling themselves HaciendaSec, who advertised alleged access to data on ~47.3 million citizens (including claimed tax identifiers and banking details) on a dark web forum. The Ministry, working with Spain’s National Cryptologic Centre (CCN), stated it found no evidence of compromise or exfiltration in internal systems as of the initial investigation, and authorities are assessing whether the dataset is authentic, recycled, or sourced elsewhere; this incident is distinct from an unrelated outage at Rome’s La Sapienza university following a suspected ransomware attack.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
4 events from the most recent confirmed update back to the earliest known activity.
On February 5, 2026, Spain's Ministry of Science, Innovation and Universities announced a partial shutdown of IT systems, temporarily closing parts of its electronic headquarters and suspending administrative procedures due to a technical incident. A ministry spokesperson confirmed to Spanish media that the disruption was related to a cyberattack, and the ministry said deadlines for affected procedures would be extended.
A threat actor using the alias "GordonFreeman" claimed responsibility for a cyberattack on Spain's Ministry of Science, Innovation and Universities and offered allegedly stolen ministry data for sale. The actor also posted sample data and said the intrusion was achieved through a critical IDOR vulnerability that led to credentials and full administrative access.
After the breach claim surfaced, the Ministry of Finance said it found no evidence of unauthorized access or data exfiltration from its internal systems. The ministry, together with Spain's National Cryptologic Centre (CCN), began a forensic investigation to determine whether the data was authentic, recycled, or sourced from a third party.
On February 3, 2026, a threat actor using the name "HaciendaSec" advertised an alleged dataset for sale on a dark web forum, claiming it was stolen from Spain's Ministerio de Hacienda y Función Pública. The actor said the data covered about 47.3 million citizens and included tax identifiers, contact details, and bank information, though the claim remained unverified.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
2 references tracked. Mallory keeps watching after this page renders.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.