A hacker collective known as Chronus made good on threats Thursday, releasing massive amounts of personal data from government agencies and institutions across Mexico — including information from a private university in Yucatán.
The group dumped roughly 2.3 terabytes of data involving 25 institutions, according to cybersecurity journalist Ignacio Gómez Villaseñor, who reviewed the leaked files. Chronus estimates the breach affects about 36.5 million people, or 28% of Mexico’s population.
Among the affected institutions is Clínica Universitaria Anáhuac Mayab in Yucatán, alongside the municipality of Benito Juárez in Quintana Roo, which includes Cancún.
The data dump represents one of the largest cybersecurity breaches in Mexico’s recent history. It exposes personal details ranging from Social Security numbers and medical records to internal government documents and voter registration data.
Biggest target: IMSS Bienestar
The most extensive leak involved IMSS Bienestar, Mexico’s public healthcare system. Hackers released 1.8 terabytes in five compressed files containing the System of Social Protection in Health registry.
That database includes information on 3.15 million people, complete with direct validations from Mexico’s national population registry RENAPO, affiliation status, geographic locations and digital validation QR codes. The predominantly PDF format suggests hackers extracted complete digitized records, not just metadata.
Within an hour of publication, the IMSS Bienestar database had been downloaded 74 times.
The National Perinatology Institute also suffered a severe compromise. Hackers obtained a complete SQL database dump with more than 24 internal databases and 494,311 lines of records. The administrative-level access would allow reconstruction of the institute’s complete operational and clinical history.
Biometric data exposed
The National Insurance and Bonding Commission breach exposed information on 95,178 people in the insurance sector. Unlike other cases, this dataset includes biometric data such as personal photographs alongside CURP, RFC and license numbers — significantly increasing the risk of identity theft and high-quality fake documents.
The ruling Morena party’s affiliate registry was compromised, exposing data on 26,899 members. The leak includes voter credentials, affiliation status, personal phone numbers and internal review notes — information that could be used to identify and locate party members beyond public figures.
Mexico’s tax agency SAT also appears on the list, though the extent of that breach remains unclear. Chronus suggested more SAT information could be released through a VIP channel.
Complete list of affected institutions
The 25 compromised entities include:
- Clínica Universitaria Anáhuac Mayab
- Municipality of Benito Juárez, Quintana Roo
- Tax Administration Service (SAT)
- IMSS Bienestar
- Federal Health Secretariat (supplies)
- National Perinatology Institute
- National Insurance and Bonding Commission
- State health secretaries and prosecutors in Chihuahua, Tabasco and Tamaulipas
- Judicial Branch of Tabasco
- DIF systems in Zacatecas and Sonora
- State governments of Morelos and Nayarit
- COMUDE Guadalajara
- Autonomous University of the Northeast
- Morena political party
- National Institute of Political Training (Morena)
Hackers cite security failures
In a statement following the release, Chronus said the leaks demonstrate the “total inefficiency” of official security protocols and that government infrastructure “was always vulnerable.”
The breach came just weeks after Mexico unveiled its National Cybersecurity Plan 2025-2030 in early December. That 85-page document promised to make Mexico a “regional leader in cybersecurity governance” but lacked concrete budget allocations or implementation timelines.
Chronus has claimed responsibility for more than 1,700 security incidents since 2021, with 26 targeting Mexican public institutions. Previous victims include the states of San Luis Potosí and Coahuila.
Mexico’s Anti-Corruption Secretariat has opened investigations to determine how the breach occurred and whether administrative violations contributed to the security failures. Affected institutions must cooperate with inquiries and file criminal complaints where appropriate.
The primary risk to affected individuals is identity theft. Experts warn that exposed personal data could circulate for years, enabling criminals to open fraudulent accounts, file false tax returns or commit other forms of fraud.
No official statements have been released regarding victim notification protocols or data protection measures being implemented following the breach. Mexico remains highly vulnerable to cyberattacks, averaging four per second and registering more than 40 billion intrusion attempts in early 2025.
What to Know About the Mexico Data Breach
- The Chronus hacker group released 2.3 terabytes of data from 25 Mexican institutions on Jan. 30
- An estimated 36.5 million people may be affected, representing 28% of Mexico’s population
- Exposed data includes Social Security numbers, medical records, biometric information and voter credentials
- IMSS Bienestar suffered the largest breach with 1.8 TB affecting 3.15 million people
- A Yucatán university clinic and Cancún’s municipal government were among those compromised
- The breach occurred three weeks after Mexico unveiled its National Cybersecurity Plan
- Victims face elevated risk of identity theft, fraud and document forgery
- Investigations are underway but no victim notification protocols have been announced
Sources: Diario de Yucatán, Infobae, CETYS Universidad, Revista Morelia