Alleged Data Breach Targets Spain’s Ministry of Science, Innovation, and Universities
Published
Key Takeaways
- Government Target: A Ministerio de Ciencia, Innovación y Universidades breach was claimed on a hacking forum.
- Flaw Exploitation: The actor claims to have exploited an IDOR vulnerability combined with leaked credentials to gain administrative access.
- Data Exposure: The alleged breach reportedly exposes sensitive documents, including passport scans, DNI/NIE records, academic transcripts, and financial information.
A threat actor operating under the alias “GordonFreeman” has claimed a data breach involving Spain’s Ministry of Science, Innovation, and Universities (Ministerio de Ciencia, Innovación y Universidades).
The claims surfaced on February 2, 2026, alleging unauthorized access to ministry systems.
According to the threat actor’s forum post, the intrusion allegedly exploited an Insecure Direct Object Reference (IDOR) vulnerability. The post alleges this flaw, combined with previously leaked credentials, granted the attacker full administrative-level access to the system.
Details of the Alleged Cyberattack
The "GordonFreeman" actor alleged that the IDOR vulnerability allowed for the sequential iteration of National Identity Document (DNI) numbers, a technique that enables scraping records from unsecured databases.
While the data breach is pending verification, the leaked details suggest unauthorized access to internal records. The scope of the claimed data exfiltration is extensive, reportedly including highly sensitive personally identifiable information (PII). The threat actor lists, among other assets:
- Passport scans,
- DNI/NIE scans,
- Apostilled foreign degrees and certified academic transcripts
- Email addresses,
- Payment receipts containing IBANs.
Implications for Government Cybersecurity
If confirmed, this incident underscores a critical lapse in government cybersecurity protocols regarding access control and data protection. IDOR vulnerabilities are a common but preventable class of security flaws that occur when an application provides direct access to objects based on user-supplied input.
As the situation develops, security experts are monitoring for the potential release or sale of the exfiltrated data, which could put thousands of citizens and academic professionals at risk of identity theft and financial fraud.
Last month, reports suggested the Pass'Sport data breach that exposed 6.4 million accounts originated from the French Ministry of Sports.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Saturday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Saturday.
Most Popular