Light bulb Limited Spots Available: Secure Your Lifetime Subscription on Gumroad!

Feb 06, 2026 · 5 min read

Spain's Ministry of Science Shuts Down Systems After Hacker Claims Data Theft

A threat actor claims to have stolen researcher records, student data, and official documents after exploiting a basic security flaw in government systems.

Spanish government building with digital data streams flowing out representing cyberattack

Spain's Ministry of Science, Innovation, and Universities has partially shut down its IT systems following claims by a threat actor that they stole data belonging to researchers, students, and university staff.

The ministry acknowledged "a technical incident currently under assessment" affecting its electronic headquarters and citizen facing services. All ongoing administrative procedures have been suspended, and the ministry extended deadlines to protect affected parties' rights under Spanish administrative law.

A threat actor using the pseudonym "GordonFreeman" has claimed responsibility for the attack and attempted to auction the stolen data on underground forums.

What Data May Have Been Stolen

According to the attacker's claims, the stolen materials include:

  • Personal records: Information on researchers, university staff, and students
  • Email addresses: Contact information for academic personnel
  • Enrollment applications: Student registration data
  • Official documents: Screenshots of government paperwork

The authenticity of these claims has not been independently verified. The forum where the data was initially offered has since gone offline, and samples haven't appeared on alternative platforms.

How the Attack Happened

The attacker claims to have exploited an Insecure Direct Object Reference (IDOR) vulnerability—a basic web security flaw that should never exist in government systems.

IDOR vulnerabilities occur when applications use predictable identifiers (like sequential numbers) to reference user data without properly checking whether the requester is authorized to access it. In simple terms: if your profile is at URL /user/12345, an attacker can simply change the number to /user/12346 to view someone else's profile.

According to the attacker, this flaw provided "full admin level access" credentials, allowing them to exfiltrate data at scale. If true, this represents a fundamental failure in basic security controls—the kind of vulnerability that appears on every web security checklist and should be caught in routine testing.

Government Response

The Spanish Ministry has taken several steps in response to the incident:

  • System shutdown: Public facing services have been partially taken offline
  • Procedure suspension: All ongoing administrative procedures are on hold
  • Deadline extensions: Filing deadlines extended under Article 32 of Law 39/2015 to protect citizens' rights
  • Investigation: Security assessment is ongoing

The ministry has not confirmed the scope of any data theft or provided specific guidance to potentially affected individuals.

Why Government Research Systems Are Targets

National science ministries and research agencies are increasingly attractive targets for cybercriminals and state sponsored actors alike:

Valuable research data: Scientific research, particularly in fields like biotechnology, materials science, and defense applications, has significant economic and strategic value.

Personal information: Researcher databases contain contact details, employment records, and sometimes financial information for grant recipients.

Legacy systems: Government agencies often operate older systems that may lack modern security controls, and budget constraints can delay necessary upgrades.

Espionage value: Nation states target research institutions to steal intellectual property and gain competitive advantages in emerging technologies.

What to Do If You're Affected

If you're a researcher, student, or staff member who has interacted with Spain's Ministry of Science systems, take these precautions:

  • Watch for phishing: Expect scam emails impersonating the ministry, Spanish universities, or research funding agencies. Don't click links in unexpected communications.
  • Verify through official channels: If you receive communications about grants, enrollment, or administrative matters, verify by calling published phone numbers or visiting official websites directly.
  • Monitor your accounts: Watch for unauthorized access attempts on email and institutional accounts that may share credentials with ministry systems.
  • Update passwords: If you've used ministry portals, change passwords on any accounts that share similar credentials.
  • Be patient with procedures: Administrative deadlines have been extended, so don't be pressured by urgent sounding communications claiming you need to act immediately.

The Bottom Line

This incident highlights a persistent problem: government systems handling sensitive citizen data often suffer from basic security flaws that private sector companies would catch in routine testing. An IDOR vulnerability providing admin access shouldn't exist in any modern web application, let alone one handling researcher and student records.

If you've used Spanish research ministry services, stay alert for phishing attempts in the coming weeks. Criminals will exploit the confusion and uncertainty while the investigation continues.