The Nova ransomware group, a cybercriminal operation that uses a ransomware-as-a-service model, has claimed responsibility for a cyberattack on KPMG Netherlands, the Dutch branch of the global professional services firm KPMG International Cooperative. The claim was posted on a dark-web leak site on 23 January 2026, accompanied by a countdown timer that gives KPMG a deadline of 10 days to engage with the group or risk data publication.
Nova’s announcement specifically names KPMG Netherlands and implies that data was exfiltrated during the alleged incident. The group’s listing on the leak site reflects a common tactic in ransomware and extortion operations known as double extortion, where attackers combine threats of data disclosure with potential encryption of systems to compel victims to negotiate. The leak site entry included a 10-day timer that typically signals when attackers might begin publishing data if their demands are not met.
KPMG has issued a public response to the claim, stating that its managed IT infrastructure and security systems have not been compromised and emphasising that it takes cybersecurity and monitoring seriously. The company’s statement does not confirm any data loss or breach and reflects a cautious position while the situation is assessed. At this stage, there is no independent verification that Nova’s claim corresponds to an actual breach of KPMG systems.
Details about the alleged attack, including the types of data involved or whether any data exfiltration occurred, have not been published by Nova or corroborated by third-party cybersecurity researchers. The absence of publicly released samples or technical evidence means that the claim remains unverified and subject to ongoing evaluation. In some ransomware extortion cases, threat actors publicly list organisations on leak sites before providing proof or before further negotiation succeeds, making initial claims difficult to assess without forensic confirmation.
Professional services firms such as KPMG are considered attractive targets for ransomware actors because they hold extensive corporate and client information spanning audit workpapers, tax filings, and advisory records. Threat actors may perceive such data as high value in negotiations if they are able to demonstrate possession. However, without verification of the Nova group’s claim or public disclosure of compromised data, the current status of KPMG Netherlands’ systems and information remains uncertain.
The situation continues to develop, and KPMG’s public statements, along with monitoring by cybersecurity services, will inform whether further action, such as investigation findings or regulatory notices emerge in response to the claim. Authorities and industry observers often treat such extortion listings as triggers for internal audits and threat hunts, even when claims are initially unverified.