Major Data Breach Hits Mexican Government Agencies

The hacker group calling itself ‘Chronus’ has hacked the systems of at least 25 federal, state, educational, and political agencies, compromising the information of at least 36.5 million people in Mexico. According to cybersecurity firm Silikn, this is shaping up to be one of the most serious cybersecurity events in the country’s recent history.

According to the report shared by the company, led by Víctor Ruiz, the volume of data exposed by this cybercriminal group reaches 2.3 terabytes, which is already circulating on Telegram channels, where multiple downloads were recorded in the first hours after its publication.

“Among the affected entities are the Tax Administration Service, IMSS Bienestar, and the Morena party, in addition to health, education, justice institutions, and state governments,” explained Ruiz, who highlighted that the leaked packages include voter rolls, administrative databases, and operational records with varying levels of detail.

The case with the largest volume corresponds to the IMSS Bienestar SPPA voter roll, with 1.8 terabytes in compressed files that would cover more than 3.1 million people, including validations with RENAPO, affiliation status, geographic location, and digital verification QR codes, according to the preliminary investigation.

Likewise, the exposure of complete databases from the National Institute of Perinatology with hundreds of thousands of records is reported, as well as information on insurance sector agents with data such as CURP, RFC, photographs, and professional licenses.

ATDT Denies Massive Leak

For its part, the Agency for Digital Transformation and Telecommunications (ATDT) denied the massive hack, considering that most of the material shared by the Chronus group had already been disseminated by the group previously, thus ruling out that government agencies are compromised.

“The analysis conducted so far indicates that it is mostly information that had already circulated by the same group previously (…) The publication of sensitive data has not been identified,” stated the agency headed by José Antonio Peña Merino.

The agency added that the detected events would be related to obsolete systems developed and managed by third parties for federal entities, and not to a direct breach of the authorities’ central infrastructure, and that the detected credentials were disabled immediately.

“The use of valid usernames and passwords was identified and they were immediately disabled. It was not a breach of the authorities’ infrastructure.”

The ATDT indicated that it activated response protocols and recalled that the unauthorized acquisition and dissemination of databases is a crime. It also emphasized that since 2024, a specialized area has been operating that has issued early warnings and published the National Cybersecurity Plan 2025-2030.

“The authorities activated all protocols from the first moment they became aware of this threat (…) The ATDT has a specialized cybersecurity area that, since October 2024, advises and accompanies the different authorities in their protection and security processes, through which it has trained 613 public servants, issued 204 early alerts and notifications to agencies preventing information leaks,” concluded the agency.