Massive Data Breach Exposes Millions of Mexicans’ Personal Info

Massive 2026 Hack in Mexico: Chronus Leaks SAT and IMSS Data of Millions of Citizens

Mexico — The hacker group Chronus has leaked data from the SAT, IMSS, and state agencies. The National Cybersecurity Plan was published just weeks ago.

On December 30, 2025, as the country prepared to welcome the new year, the hacker group Chronus fulfilled its threat: it released information from at least 20 Mexican public institutions. Among the leaked data are records from the SAT, IMSS-Bienestar, state judicial powers, and the governments of Sonora, Querétaro, and Mexico City.

These are not abstract numbers. They are names, addresses, phone numbers, RFCs, CURPs, social security numbers, and, in the case of IMSS, medical conditions and blood types. They are the data of millions of Mexicans who trusted their information to the State and are now exposed to fraud, extortion, and identity theft.

The irony is impossible to hide: the National Cybersecurity Plan 2025-2030 was presented just weeks before. Eighty-five pages of good intentions that did not serve to prevent one of the most serious hacks in the country’s recent history.

The Data Now in the Hands of Criminals

The scope of the damage is still being assessed, but preliminary reports speak of complete databases with tax information, medical histories, and judicial records. These records are already being commercialized on deep web forums. This incident adds to another that occurred just months before: in December 2024, a hacker identified as “iZED” leaked more than 111,000 access credentials to the SAT, including passwords and e.firma keys. The pattern is clear: fiscal and health institutions are recurring targets.

What does this mean for an ordinary citizen? That anyone with access to that information can impersonate them before a banking institution. They can request loans in their name. They can extort their relatives with precise data about their health or tax situation. They can commit tax fraud using their RFC.

IMSS pensioners are particularly vulnerable. In September 2025, information on 20 million of them had already been leaked. Now, with this new breach, the risk multiplies. These are older people, many with little familiarity with technology, who can be easy targets for telephone scams where the criminal knows their name, their ailment, and even their blood type.

A Pattern of Negligence That Is Now Customary

This is not an isolated incident. It is the most recent chapter in a story of systematic negligence.

• In 2018, the SPEI system of the Bank of Mexico was compromised.
• In 2019, Pemex suffered a ransomware attack that paralyzed its operations, and the attackers demanded 5 million dollars.
• In 2022, the Guacamaya group extracted 6 terabytes of classified information from SEDENA—the largest documented cyberattack against the Mexican government.
• That same year, the Secretariat of Infrastructure had to suspend procedures for two months after a malware attack.
• In November 2024, the RansomHub group published stolen information from the federal government’s official website.

And now, Chronus. A group that since 2021 has accumulated more than 1,700 security incidents, 26 of them against Mexican public institutions. It is not an unknown actor. Its methods are documented. Its history is public. Even so, it managed to breach 20 agencies in a single blow.

How many more hacks are needed for the government to take cybersecurity seriously?

The National Cybersecurity Plan: Much Paper, Little Reality

On December 4, 2025, the Agency for Digital Transformation and Telecommunications presented with great fanfare the National Cybersecurity Plan 2025-2030. The document promised to turn Mexico into a “regional reference in cybersecurity governance.” It included the creation of a National Cybersecurity Council, a unified operations center, and detection capabilities with artificial intelligence.

Three weeks later, Chronus demonstrated that those promises are worthless if there is no execution.

Specialists had already warned of the flaws. The plan has no defined budget allocation. It does not include an implementation schedule with measurable milestones. Responsibilities between agencies are diffuse. It does not address the protection of private critical infrastructure. Victor Ruíz, director of the firm SILIKN, described it as “a Christmas wish, not a viable project.”

The problem of cybersecurity in Mexico is not a lack of diagnoses or well-written documents. The problem is the abysmal distance between discourse and action. Between the international standards that are signed and the operational reality of government systems.

Hack or Internal Leak? The Answer Matters Less Than the Result

The Secretariat of Anti-Corruption and Good Government opened an ex officio investigation. In its statement, it did not rule out that the incident was caused by “misuse of access credentials” or “a possible internal leak.” That is, that there was not necessarily a sophisticated external intrusion, but that someone from inside could have facilitated access.

If that were the case, the situation would be even more serious. It would mean that the government not only cannot protect itself from external threats, but also does not have effective internal controls. That any public servant with access to sensitive databases can extract information without anyone detecting it in time.

But for the citizen whose information is already circulating on criminal forums, the technical distinction is irrelevant. The result is the same: their data is exposed. The State failed to protect them. And no one is going to return their privacy.

What You Must Do (Because the Government Will Not Do It for You)

Given the demonstrated institutional incapacity, the responsibility to protect oneself falls—unjustly—on the citizens themselves. These are the minimum recommendations:

1. Change your passwords. If you use the same password for the SAT as for other services, change it immediately. Use unique passwords for each platform.
2. Activate alerts in the Tax Mailbox. Any unusual movement in your tax situation should generate a notification.
3. Monitor your credit history. Regularly check your report at Buró de Crédito or Círculo de Crédito to detect loans you have not requested.
4. Be wary of unexpected calls. If someone contacts you claiming to be from the SAT, IMSS, or any agency, do not provide information. Hang up and verify directly through official channels.
5. Take care of older adults. If you have pensioner relatives, warn them about possible scams. Criminals can use precise data to appear legitimate.

The Cost of Inaction

Mexico records an average of four cyberattacks per second. In the first months of 2025, more than 40 billion intrusion attempts were counted. The country is the second most attacked in Latin America, and 2026 will be even more critical due to the soccer World Cup, which exponentially expands the attack surface.

The government has two options. It can continue publishing plans that no one implements, investigations that sanction no one, and statements that resolve nothing. Or it can start treating cybersecurity as what it is: a matter of national security that requires real investment, specialized talent, and accountability.

Meanwhile, millions of Mexicans bear the consequences of a State that did not know—or did not want—to protect their data. The Chronus hack is not an accident. It is the predictable result of years of institutional negligence.

The question is no longer whether there will be another attack. The question is when, and how many more millions will be exposed.