My English House Ransomware Attack by Nova (May 2026)

Claim Summary

On May 27, 2026, the ransomware group “Nova” posted a claim on its dark web leak site alleging a successful attack against My English House, a network of English language academies operating across Spain. According to the threat actor’s post, they have allegedly stolen data from the organization’s network, which includes information related to the company’s operations, franchise model, and proprietary “learning by doing” methodology. The group claims to have provided “tree and samples” of the stolen data to the company’s support department, suggesting they have initiated direct contact with the victim. The volume of data allegedly exfiltrated remains undisclosed.

Threat Actor Profile

The group operating under the moniker “Nova” is a relatively opaque ransomware actor with limited public tracking. At the time of this report, no confirmed total victim count, known tools, or established tactics, techniques, and procedures (TTPs) are available in open-source intelligence. This lack of public research raises significant credibility concerns regarding the group’s operational history and capabilities.

Nova’s claim against My English House appears to follow a common extortion model: data exfiltration followed by a threat of publication unless a ransom is paid. However, without a known track record, it is impossible to verify whether Nova has successfully executed previous attacks or if this is an opportunistic claim. The group’s use of a leak site and offer to provide data samples suggests they are attempting to establish credibility, but this behavior is also consistent with smaller or newly formed groups that may exaggerate or fabricate claims to pressure victims.

Alleged Data Exposure

The threat actor claims to have stolen data from My English House, but has not specified the types of records compromised. Based on the organization’s profile as a language school chain with over 30 locations and a franchise model, potential data exposure could include:

• Franchisee agreements and operational documents
• Student enrollment records and contact information
• Employee payroll and HR data
• Proprietary educational methodology documentation
• Financial records and banking details

Nova’s statement that they provided “tree and samples” to the company’s support department indicates they have shared a directory structure and selected files to prove the breach. However, without independent verification, the scope and sensitivity of the data remain speculative.

Potential Impact

If the claim is verified, My English House could face significant operational and reputational consequences. The exposure of franchisee data and proprietary methodology could damage trust with business partners and undermine the company’s competitive advantage. Student and employee data breaches could trigger regulatory scrutiny under Spain’s data protection laws (LOPDGDD) and the EU’s General Data Protection Regulation (GDPR), potentially resulting in fines of up to 4% of annual global turnover.

The franchise model adds complexity, as affected franchisees may seek legal recourse or terminate agreements. Additionally, the public nature of the leak site could lead to data being reposted or shared on other forums, extending the exposure window.

What to Watch For

• Direct communication: My English House should verify any contact from the threat actor through official channels and avoid engaging with unverified demands.
• Data monitoring: The organization should monitor dark web forums and leak sites for any publication of stolen data, particularly franchisee and student records.
• Regulatory notification: If data exposure is confirmed, My English House must notify the Spanish Data Protection Agency (AEPD) and affected individuals within 72 hours under GDPR.
• Franchisee outreach: Proactive communication with franchisees about the incident and potential data exposure is critical to maintaining trust.
• Security posture review: The company should conduct a forensic investigation to determine the attack vector and implement remediation measures.

Disclaimer

This report is based solely on an unverified claim posted by the threat actor “Nova” on their dark web leak site. Yazoul Security has not independently confirmed the breach, the data exfiltration, or the identity of the victim organization. Ransomware groups frequently exaggerate or fabricate claims to pressure victims into paying ransoms. This information is provided for intelligence purposes only and should not be acted upon without further verification. No PII, download links, data samples, credentials, or access methods are included in this report.