Sensitive PII of millions leaked in historic Moroccan data breach

Earlier this month, Morocco was rocked by what is considered to be its most significant cybersecurity breach to date. The target was the nation’s National Social Security Fund, Caisse Nationale de Sécurité Sociale (CNSS), the government institution that is responsible for managing social benefits for private-sector employees. The breach compromised the personal information of nearly two million individuals and around 40,000 registered businesses and their nearly 4 million employees.

Established in 1961 to succeed the Caisse d’Aide Sociale, CNSS is Morocco’s central institution managing compulsory social insurance for private-sector employees. Its responsibilities span healthcare coverage, pension management, unemployment support, maternity benefits, disability services, family allowances, and death grants. In fulfilling these duties, CNSS maintains one of the country’s most extensive digital repositories of citizen data.

The data breach is a wake-up call for Morocco’s public and private sectors as the nation undergoes rapid digitization. The breach exposed weaknesses in crisis communication, data governance, and regulatory transparency. Victims of the breach reportedly remain uninformed and vulnerable, while broader public trust in government institutions continues to erode in the absence of meaningful action or accountability.

The entity behind the breach is a threat actor operating under the alias “Jabaroot” who reportedly emerged on a prominent Dark Web forum where they released the stolen data freely in CSV and PDF formats. But unlike most cybercriminals who seek profit through ransomware or dark market sales, Jabaroot made no attempt to monetize the breach. According to cybersecurity analysts at Resecurity, this pattern of behavior may suggest motives that are aligned with hacktivism or cyber-espionage rather than theft for outright financial gain.

“The motive behind the data breach remains unclear, but the scale of compromise already generated attention across the region’s cybersecurity community and privacy experts. The breach could be interpreted as Morocco’s most significant cyber-attack,” Resecurity said in its analysis of the attack.

The scale and sensitivity of the compromised data are certainly staggering. For individuals, the dataset contained their full names, national ID numbers, passport details, email addresses, phone numbers, salary information, and banking credentials. Internal documentation, registration data, and contact information for administrative staff from tens of thousands of businesses and other enterprises also were exposed.

In addition, employees from major Moroccan government bodies also were caught in the breach, including personnel from the Ministry of Economy and Finance, the Ministry of Health, the Moroccan Agency for Investment and Export Development, the Moroccan Pension Fund, the National Office for Food Safety, the General Treasury of the Kingdom, and Maroc PME, the agency responsible for supporting small and medium enterprises.

“A data breach of such scale will likely have a negative, long-lasting impact on citizens’ data that could create risks of fraud and identity theft,” Resecurity warned.

Adding to the complexity of the breach is its geopolitical undercurrent. On a Telegram channel believed to be operated by Jabaroot, the bad actor referenced the hacking of Algeria’s state news agency’s X account by Moroccan actors as a motive for retaliation.

This tit-for-tat narrative fits into a larger pattern of cyber hostilities between Moroccan and Algerian groups, intensifying concerns that regional rivalries are bleeding over into the digital domain. Although Jabaroot never requested a ransom, reported insider accounts suggest there may have been initial unmet demands that were made privately to Moroccan authorities.

Among the files leaked were salary details of government officials, some of whom were accused by the hacker of downplaying the scale of the breach. This dataset, which was contained in a compressed 7z archive dated November 29, 2024, has left cybersecurity professionals speculating whether the breach may have occurred months earlier and was deliberately withheld.

According to Resecurity, the validity of the data has been confirmed through internal assessments and cross-verification with its clients. However, despite the growing body of evidence and increasing public concern, neither CNSS nor Moroccan regulators have formally notified affected individuals, according to reporting.

This lack of transparency has raised serious questions about consumer rights and institutional accountability. Victims of the breach have yet to receive any official communication or guidance on how to protect themselves, which has created an environment that is ripe for exploitation.

Cybersecurity experts have warned of the high likelihood of identity theft, financial fraud, and targeted social engineering attacks as bad actors take advantage of the exposed data. Moreover, these bad actors may already be using the information to impersonate citizens in banking systems or to execute phishing campaigns aimed at stealing even more credentials.

The leaked data not only includes Moroccan nationals but also employees and entities affiliated with European and other foreign enterprises operating within the country. Given Morocco’s increasing integration into international trade networks, this breach could have transnational ramifications, further complicating diplomatic and economic relationships.

The National Commission for the Control and Protection of Personal Data, Morocco’s chief data protection authority, has publicly acknowledged the breach and expressed concern about the illegal use of personal information obtained through such data breaches.

CNDP reminded institutions and the public that data acquired outside legal frameworks cannot be accessed or exploited without violating existing data protection laws. There has been little movement in terms of governmental response, legal action, or preventive regulation.

Resecurity is collaborating with law enforcement agencies to investigate the breach. While initial analysis has not conclusively identified whether the hack was orchestrated by a state-sponsored group, the pattern of behavior strongly resembles tactics used by Advanced Persistent Threat actors.

“Such tactics are …. typical for advanced espionage groups targeting governmental agencies,” Resecurity noted, adding that “to avoid attribution, such actors prefer to operate under the guise of cybercriminal motives as hacktivists.”

In this instance, the absence of any financial incentive, combined with the strategic nature of the target and the political messaging around the hack, strengthens the case for a more complex state-backed motivation behind the CNSS hack.

CNSS has warned citizens about the dangers of sharing personal information. Nearly two years ago the fund issued an alert disassociating itself from individuals impersonating CNSS representatives who had been contacting citizens to demand banking details. CNSS pledged at the time to monitor and take legal action against any such fraudulent schemes.

Article Topics

cybersecurity  |  data protection  |  digital government  |  digital identity  |  identity management  |  Morocco