Mexico’s National Defence Data Breach: A Wake-Up Call for the Country’s Cybersecurity Landscape

DCU Law and Tech regularly publishes blog posts discussing the topics Law and Technology written by a variety of authors.

Joseph Boyer

When 6 gigabytes of private data were leaked from the Mexican Secretariat of National Defence in September of last year, the nation was caught off guard. An international organization of hackers known as the “Guacamaya” was responsible for this breach. This anti-imperialist group is active in several nations, including Mexico, Peru, Chile, Colombia, Guatemala, and El Salvador.

The Data Breach Incident

6 Terabytes of highly confidential national security data from Mexico’s Secretary of National Defence were made public on September 29, 2022. An international hacker group called “Guacamaya” was responsible for this incident. The breach, which is regarded as the biggest data breach in Mexican history, involved communications between the Secretaries of National Defence and the Navy regarding the health and wellbeing of President Andrés Manuel Lopez Obrador, as well as information about the “Culiacanazo” incident.

This event consisted in a series of confrontations and roadblocks in Culiacan, Sinaloa, which sparked on October 17, 2019 by the criminal organization Cartel de Sinaloa against the security forces of the Mexican Army, following the capture (and subsequent release) of Ovidio Guzmán López, son of drug trafficker Joaquín Guzmán Loera.

Additionally, the Mexican Army was given construction contracts for the Tren Maya and the International Airport of Tulum. The Secretary of National Defence was called before the Commission of National Defence of the Chamber of Deputies to discuss a budget for cybersecurity in response to the breach.

It is important to note that the type of classified material that was released presents several threats to national security. First by disclosing army personnel’s internal communications while doing their duties. Part of this data includes confidential communications between senior military officers, soldier personal information, intelligence on drug traffickers and other criminals, as well as civil complaints about crimes. This information could have disastrous effects if it ends up in the wrong hands. Secondly, the leak of military information concerning President Andrés Manuel López Obrador’s health and wellness, showed that the president had to be sent to the hospital in a medical emergency last January because of heart disease.

With all of this in mind, the high level of confidentiality of this data means that anyone who obtains access to it could pose a threat to both the government and the state’s security. Both the Senate of the Republic and the Chamber of Deputies have urged the current administration to allocate a portion of the national budget to cybersecurity in reaction to the aforementioned cybersecurity attack.

Mexico’s Cybersecurity Landscape

The 2020 Global Cybersecurity Index, which rates nations based on five criteria—legal, technological, organizational, development capacity, and cooperation—was released by the International Telecommunication Union (ITU). Mexico was placed 52nd out of 182 nations, below nations like Kenya and Morocco, according to the survey.

According to this index, Mexico has some relative strengths in areas like technical and cooperative measures, while organizational measures represent a potential area for development. This indicates that Mexico is effective at putting its technological capabilities into practice through national and sector-specific institutions, as well as through collaborations with businesses, organizations, and other nations. Mexico, in contrast, lacks national cybersecurity plans and agencies.

Spain came in 4th among some of the European nations, followed by France in 9th and Germany in 13th. Their common areas of relative strength are legal, technical, development capability, and cooperation, while their common areas of potential growth were organizational. In comparison to other nations, the survey claims that Europe has a high level of cybersecurity awareness and has room for improvement in areas such as national cybersecurity strategies, cybersecurity agencies, and child online protection strategies and initiatives.

In Mexico, the Federal Criminal Code and the State Penal Code, which specify criminal behavior and the corresponding penalties, apply to some cybercrimes. At the federal and state levels, there is a lack of consistency in the definition of criminal behavior connected to security issues, as well as the consequences and sanctions that go along with it. Citizens, therefore, face legal confusion as a result of the disparity between the definition of crimes and the associated penalties.

Instead, the European Union has several cybersecurity policies, a European Union Agency for Cybersecurity (ENISA), many directives on measures for a high level of cybersecurity throughout the Union, and an investment intended for research and development. Some European Union cybersecurity regulations are the European General Data Protection Regulation, the EU Cybersecurity Strategy, and the EU Cybersecurity Act.

Recommendations for Cybersecurity Development

Overall, Mexico could follow the following steps in order to minimize future cyberattacks or even prevent them. The first step is to, allocate a portion of the national budget to cybersecurity. The second step would be for, Mexico to develop several harmonized national regulations regarding criminal behavior and penalties for cybercrimes across the nation, as well as safeguarding individual privacy and establishing a federal cybersecurity agency. Lastly, Mexico should promote cybersecurity awareness throughout the nation, as most people are unaware of the different strategies cyberattackers employ to obtain user information.

The National Defence data breach in Mexico was undoubtedly a turning point with numerous consequences that can have a positive effect on the development of the nation. One example of what is to come are the continuous efforts of the Chamber of Deputies to enact a federal cybersecurity legislative initiative, which supposedly should be approved by the end of this year.

Joseph Boyer is an EMILDAI student specializing in Data Governance and Cybersecurity and a lawyer with expertise in international trade, tax law and negotiation.

More Blog Posts

UK Data Protection Law: A New Direction?
Divyam Wadhwa
Student of MDPP, DCU
On 31 December 2020, the United Kingdom (UK) formally departed from the European Union (EU). Following that, on 1 January 2021,…