Industrias Peñoles Reports Cybersecurity Incident

Mexico-based mining company Peñoles reported a cybersecurity breach involving unauthorized access to some of its systems, including those of its subsidiary, Fresnillo. The company’s IT team is actively investigating the incident and implementing necessary precautions to address the issue.

Industrias Peñoles recently disclosed a cybersecurity incident involving unauthorized access to certain computing systems and information. Upon discovering the breach, the company promptly activated its established cybersecurity protection protocols and response mechanisms, as disclosed in a report to the Mexican Stock Exchange (BMV). 

The company noted its IT departments, working in conjunction with external specialists, are actively investigating and assessing the scope of the incident. Their primary focus is on ensuring the integrity, confidentiality, and availability of its systems and the information they hold. Meanwhile, Peñoles' business units continue to operate normally by utilizing alternate and backup systems.

According to Industrias Peñoles, the incident has not caused any material adverse effects on its operations, results, or financial position. Peñoles will continue to monitor the situation closely until it is fully resolved.

Similarly, Fresnillo reported on the incident, adding that it did not impact its activities and discharting any financial or operational disruption. “Fresnillo plc takes the issue of cyber security extremely seriously and will continue to fully investigate this incident and take all appropriate measures,” reads the company’s report to BMV. 

Cybersecurity in the Mining Sector 

In 2024, cybersecurity emerged as a major concern for mining companies, reappearing among the Top 10 industry challenges for the first time since 2020, now ranked 8th. EY attributes this resurgence to increased digitization, the rise in remote work, and geopolitical tensions like the Russian-Ukraine conflict. Mining leaders are increasingly worried about threats to their intellectual property, a concern likely to grow with more investment in ESG initiatives. “Today, all mining organizations are digital by default, operating in a vast, connected digital landscape where every asset represents another node in the network and increases the attack surface,” reads EY’s report. 

Despite heightened awareness of cyber risks, only 40% of boards surveyed in the EY Global Board Risk Survey 2023 feel confident in their understanding of significant cyber threats. Paul Mitchell, Leader, EY Global Mining & Metals, emphasizes the importance of comprehending the current cyber risk landscape and the threats posed by new technologies for planning secure and resilient operations.

In 2024, Alamos Gold experienced a cyberattack that resulted in the public disclosure of sensitive corporate information like social security numbers, payment reports, and financial information, among other important data. 

As noted in Alamos and Peñoles incidents, cyberattacks often target sensitive data contained in emails or inner systems. According to Kaspersky's Global Research and Analysis Team (GReAT) hackers often exploit email vulnerabilities to access sensitive information. After obtaining the emails, they assess which messages could cause reputational harm to the victims. The next step involves publishing the compromised data online and notifying the press to ensure the attack receives widespread public attention. Kaspersky disclosed that 53.6% of cyber assaults commence by exploiting vulnerabilities, with compromised accounts accounting for 17.9%, and malicious emails contributing to 14.3% of the attacks, as reported by MBN.

In an interview with MBN, David Tintor, Director of Operations, TBSEK, said mining companies are attractive targets due to the ease of calculating damages if operations are compromised. “If you are a mining company, and cybercriminals disable your mill, every second it is stopped costs about US$5.97. Multiply that by 3,600 for an hour, and the financial impact can accumulate, even for days. They make it clear: Pay US$1 million or suffer damage worth US$10 million,” he noted.