Nova Ransomware Group Claims Breach of KPMG Netherlands

What happened

The Nova ransomware group has publicly claimed it breached the Netherlands division of global professional services firm KPMG, listing the company as a victim on its data leak site on January 23, 2026. The group alleges it exfiltrated sensitive data and has issued a 10-day deadline for contact and ransom negotiation. There has been no official confirmation from KPMG regarding the validity, scope, or impact of the claimed breach. 

Who is affected

The alleged incident reportedly targets KPMG’s operations in the Netherlands, the local branch of the international audit, tax, and advisory firm. It is not yet clear whether the claim affects systems or data beyond that region or involves client or internal data. KPMG has not yet publicly acknowledged the situation.

Why CISOs should care

• High-profile targeting: Nova’s claim against a major global professional services firm underscores that even well-resourced organizations are not immune to sophisticated ransomware operations.
• Double extortion risk: Groups like Nova often use a “double extortion” model, encrypting networks and threatening to publish stolen data, which increases the pressure on organizations and elevates reputational and compliance risk. 
• Uncertainty and response preparedness: With details unverified and no official confirmation, the situation highlights the need for rapid validation, communication, and response readiness for suspected incidents.

3 Practical Actions

1. Verify and validate: Immediately initiate internal threat detection and forensic investigation processes to determine if there are indicators of compromise related to Nova’s known tactics and infrastructure.
2. Engage legal and communications teams: Prepare coordinated external and internal communication plans, including regulatory notification obligations under data protection laws (e.g., GDPR), should a breach be confirmed.
3. Review and exercise incident response plans: Conduct tabletop exercises and test incident response workflows to ensure cross-functional readiness for ransomware events, including containment, recovery, and data protection strategies.