SEMAR Breach Allegedly Exposes Workers, Sparks Security Risk

A breach in the SEMAR port access platform allegedly exposed sensitive data on 640,000 workers, escalating cyber risk into physical and operational threats. The incident underscores urgent gaps in cybersecurity governance amid rising attacks on critical infrastructure.

A cybersecurity journalist reports that the Ministry of the Navy (SEMAR) experienced a data exfiltration from its Safe Smart Port (PIS) platform, affecting 640,000 port operators. A threat actor identified as "marssepe" from the group Sociedad Privada 157 leaked 39.7GB of sensitive information on a public forum.

The breach occurred due to a vulnerability in the centralized portal used to manage logistical access across all national ports. Ignacio Gómez, Cybersecurity Journalist, who originally reported the breach, identifies the transition from a digital leak to a physical operational hazard. 

“The availability of this compressed file generates an active and irreversible threat scenario,” writes Gómez in his X account. “By having a mapping that links the face, the RFC, the blood type, and the workplace of more than half a million operators, the risk exceeds the digital sphere to become a physical security threat.”

The PIS functions as the mandatory digital backbone for the maritime and port authority in Mexico. According to federal mandates, every transport provider, customs agent, crane operator, and logistics professional must register within this system to secure operational credentials. Without this registration, personnel cannot access any port precinct in the country. The platform collects comprehensive dossiers to ensure that the naval authority maintains strict control over those entering and exiting high-security zones.

On Jan. 16, 2013, SEMAR reported a distributed denial of service (DDoS) attack that temporarily disabled its public-facing website. At that time, the institution clarified that the event did not compromise naval operations or national security because the internal networks remained isolated. 

Recent statistics demonstrate a sharp escalation in the frequency and intensity of these attacks. Data from the SEDENA indicates that the institution blocked over 35 million intrusion attempts between March 16, 2017, and Oct. 14, 2025. 

In the first 10 months of 2025 alone, SEDENA faced 12.4 million attacks, while SEMAR reported 340,174 incidents during the same period. This figure for the naval department represents a 242% increase relative to 2024. Although military sources claimed in December 2025 that these attacks were neutralized without compromising confidential data, the alleged leak of 39.7 GB suggests that threat actors have successfully penetrated the perimeter of critical logistical systems.

Anatomy of the Exfiltrated National Port Registry

The leaked database allegedly contains highly granular information that allows for the precise identification of the national port workforce. According to Gómez, the file includes individual digital records comprising: names, Unique Population Registry Codes (CURP), Federal Taxpayer Registry (RFC) numbers, Social Security numbers, blood types, and encoded facial photographs. Additionally, the data points link each individual to a specific employer, job title, and the specific port where they operate.

The technical evidence found in the 39.7GB file confirms that the source is the official PIS registry, says Gómez. The archive allegedly contains operational variables used by the port administration, such as identifiers for the Lenel physical security system. It also includes catalogs of customs companies and a "blacklisted" status indicator for personnel restricted from access. 

The consequences of this leak could be categorized into three primary risk vectors.

Operational and Physical Security Risks

The exposure of personal and biometric data of 640,000 workers provides a blueprint for organized crime to infiltrate the supply chain. Criminal organizations can now access a detailed catalog of active personnel, which facilitates coercion, extortion, and the targeted kidnapping of operators who handle sensitive cargo. 

Because the leak includes facial photos and blood types, the risk to the physical integrity of the workforce is permanent. Unlike a password, biometric data and official identity numbers cannot be reset, creating a lasting vulnerability for every individual in the database.

Identity Theft and Fraud

The availability of RFC and CURP data alongside official photographs enables large-scale identity theft. Threat actors can use this information to conduct financial fraud, open unauthorized accounts, or execute targeted phishing campaigns against customs agencies. This increases the probability of internal fraud and the unauthorized use of corporate credentials to facilitate the movement of illicit goods.

Supply Chain Integrity

The inclusion of Lenel system identifiers suggests that attackers could develop tools to bypass physical security checkpoints. If threat actors can replicate access cards using the leaked data, the security of every port in Mexico could be compromised. This scenario forces a total review of access protocols and may require the re-issuance of physical credentials for over 500,000 workers, a process that would involve significant costs and operational delays for the private sector.