The leaked personal information and photos of almost every Salvadoran
 |
| Screenshot of leaked data |
[T]his data leak is significant because it marks one of the first instances in cybercrime history where virtually the entire population of a country has been affected by a compromise of biometric data....Beyond the massive scale of Salvadorian PII records, threat actors also obtained a headshot of each victim, which represents a crucial biometric data marker – particularly in the golden age of generative AI. Notably, the vast scale of this biometric and PII data breach places most of El Salvador’s population at significant risk for identity theft and fraud. Armed with modern deep fake technology, threat actors can leverage victim headshots and related PII to stage more convincing frauds across a broad universe of digital-first financial, merchant, and government portals.
A group (or person) calling themselves CiberInteligenciaSV divulged the data for free on their Telegram channel.
The leak revealed negligence by whomever had stored this information originally (presumably the Salvadoran government), by violating some basic data privacy best practices according to an article at BiometricUpdate.com:
Storing the data in a way no privacy or biometrics professional would recommend is one problem, but attaching the ID number and other personal information could make the breach significantly more damaging.
Around the same time, there were reports that hackers had also released a portion of the source code for the Chivo Wallet ATM system. Chivo Wallet is the Bitcoin custodial wallet of the Salvadoran government, rolled out with great fanfare as part of Nayib Bukele's move to have El Salvador adopt Bitcoin as legal tender in the country.
CiberInteligenciaSV was also behind the disclosure of the Chivo ATM source code, according to online periodical The Block, which focuses on digital assets:
"This time I am bringing you the code that is inside the Bitcoin Chivo Wallet ATMs in El Salvador, remember that it is a government wallet, and as you know, we do not sell, we publish everything for free for you,” CiberInteligenciaSV said Tuesday in its post.
The leak comes several days after the band of cybercriminals published online the personal data of roughly 5.1 million Salvadorans as part of a separate exploit. The hackers released the stolen information to the public to punish the Salvadoran government for refusing to engage with it, according to CiberInteligenciaSV.The database with the identity information of millions of Salvadorans may have been hacked from the Chivo Wallet system, although that is not clear, and CiberInteligenciaSV said in a post that it had never claimed Chivo was the source of the identity database. Chivo Wallet released a press release on X asserting that the data breach was not from its system:
So there is that denial, but what the Salvadoran government has not done, however, is state where it thinks the data breach did occur, and what the government is doing in response to the personal information of five million citizens circulating freely.
These have not been the only data leaks in El Salvador in recent years. Hackers associated with the group Guacamayaleaks reportedly obtained 4.24 terabytes of data including 10 million e-mails belonging to the police and 250,000 of the Salvadoran armed forces. That hacked dataset has been the source of numerous journalistic revelations about questionable police activities. Other leaks involved data on the owners of more than 800,000 cars in El Salvador and leaks of data of the customers of a savings and credit institution.
Might this be connected? Journalist Jorge Beltran Luna tweeted today:
There have been complaints made that since yesterday all the technical staff of the Ministry of Innovation have been detained [at the Ministry]; They are being questioned about the hacking of government servers and pages.
These large scale digital security failures have to be embarrassing to a government which has been promoting itself as the next digital technology center in the Americas.
Comments