SAT Denies Claims of Data Breach

The Tax Administration Service (SAT) denied the existence of a security breach within the Factura SAT Movil application, following reports regarding the unauthorized sale of 120,000 digital tax receipts on the dark web.

The alleged technical discrepancy originated from the identification of a suspected critical vulnerability in SAT microservices gateway. While threat actors claim to have bypassed authentication mechanisms, the institution maintains the integrity of its operational protocols.

"From the analysis performed on the technological infrastructure of the Factura SAT Movil application, no evidence of any hacking is identified, nor that information has been compromised, nor was the existence of any vulnerability detected," the Mexican Government says in its Information Card 17.

The incident gained relevance in the B2B sector due to the nature of the data allegedly exposed. According to threat intelligence reports from Kela, an Israeli cyber threat intelligence company, the threat actor group known as ByteToBreach claimed access to sensitive information from December 2025. Cybersecurity Specialist Ignacio Gómez says the attack vector did not involve compromising end-user credentials but rather obtaining authentication tokens to query the database of the agency directly.

This scenario highlights the ability of attackers to simulate legitimate traffic, which complicates early detection by conventional monitoring systems. Among the digital assets allegedly compromised are payroll records with exact salary amounts, private commercial relationships, bank accounts, and fiscal addresses. 

To support the claims, evidence was presented including the validation of stolen invoices through the public portal of the SAT. However, the organization clarified that the invoice verification service is public by design. This system allows any taxpayer to validate the authenticity of a Digital Tax Receipt via the Internet — commonly known as CFDI — by entering the UUID, the RFC of the issuer, and the RFC of the recipient. This public availability may explain the legitimacy of the queries without necessarily implying unauthorized access to central servers.

Growing Number Cyberattacks Target Government Institutions 

Cyberattacks targeting Mexico’s federal institutions are projected to increase by 260% in 2025, reports cybersecurity company SILIKN. “The most concerning threat does not come from external hackers, but from insiders: active employees, former staff with unrevoked credentials, or negligent personnel,” says Víctor Ruiz, CEO and Founder, SILIKN. According to the analysis, insiders account for about 70% of security breaches, data leaks and cyberattacks in government institutions.

SILIKN’s research indicates that globally 68% of breaches are linked to human factors. In Mexico, 60% of data violations result from human error, says the company, while 22% involve internal employees directly. Within the public sector, over half of Mexican institutions reported at least one incident in 2024, with the most severe cases concentrated in the government, health, and financial sectors. SILINK reports that many Mexican organizations suffered at least one cyberattack compromise in the previous year, with the government sector experiencing a compromise rate of 80.7%.