SEP Data Breach Exposed Student Records, Blood Types, and Family Data Across Mexico

The SEP data breach that first emerged earlier in 2025 continues to circulate online, exposing sensitive personal data from thousands of students, teachers, and families across Mexico. The information includes full names, CURP national IDs, addresses, medical details, and parental financial data. The files, leaked by the group known as Sociedad Privada 157, remain accessible despite the Secretaría de Educación Pública (SEP) publicly denying that any of its systems were compromised.

Background and Ongoing Exposure

The breach, originally reported in the first half of 2025, affected multiple educational institutions under SEP’s oversight, including the Colegio de Bachilleres de Quintana Roo (COBAQROO) and other schools across Quintana Roo, Campeche, Chiapas, Tabasco, and Coahuila. The criminal group responsible, Sociedad Privada 157, had previously targeted other Mexican government entities and made several politically motivated leaks throughout the year. The group continues to republish the same data and draw public attention to what it claims are serious systemic failures in SEP’s cybersecurity.

Although the SEP data breach is not new, the reappearance of the same files in recent weeks has reignited public concern. Evidence reviewed by cybersecurity researchers and journalists confirms that the leaked information is genuine, contradicting SEP’s recent statement that the reports are false. This reemergence demonstrates that sensitive student data remains available to the public, increasing the long-term risk for affected families.

Evidence of the SEP Data Breach

The attackers posted screenshots and downloadable archives to a dark web forum under the title “DATA OF STUDENTS OF SEP.” The leak includes a ZIP file named STUDENTS QUINTANA ROO (cobaqroo).zip, created on July 11, 2025. Inside are at least 24 Excel spreadsheets containing thousands of student records. Many of the files are labeled with coded names such as “0aBvJP-7.xls” and “mVBA_5Is.xls,” each containing between 100 and 370 individual records.

Across all spreadsheets, the dataset includes over 5,000 records belonging to minors. Each entry contains personal, academic, and medical data. The structured nature of the files suggests the data was exported directly from SEP’s internal information systems, rather than scraped from public sources.

Contents of the Leaked Files

Each record in the SEP data breach contains highly detailed personal and family information, including:

• Full names of students, tutors, and parents
• CURP (Mexican national ID number)
• Date of birth, age, and gender
• Matriculation and group information
• Phone numbers, addresses, and email accounts
• Insurance coverage and blood type
• Academic semester, school, and location
• Income and occupation of parents or guardians
• Psychological and medical treatment indicators

Some screenshots show that data fields even include whether a student receives psychological assistance, visits the dentist, or has specific allergies. The inclusion of this level of medical and personal detail significantly increases the privacy and safety risks for affected minors.

Mocking SEP’s Security and Response

In one of the files shared by the attackers, a message directed at SEP administrators mocks their weak security practices. It mentions passwords such as “1234” and criticizes officials for neglecting proper cybersecurity measures. The group’s tone is taunting and political, indicating that the leaks are partly intended to publicly embarrass the agency.

Messages included with the leak specifically mention SEP officials and accuse them of incompetence. This follows the same communication pattern observed in earlier Sociedad Privada 157 operations, where data theft is accompanied by public ridicule and calls for accountability.

SEP’s Official Denial and Public Backlash

Following renewed attention to the data circulating online, SEP issued an official statement on social media denying that any breach had occurred. The agency claimed that “none of the computer systems of this agency, nor in the states, has been compromised,” and described the circulating data as “false.”

SEP also stated that previous “unsubstantiated claims” had been similarly dismissed, reaffirming its “commitment to protect educational community information.” However, this statement contradicts the clear digital evidence showing spreadsheets and ZIP archives containing real student and family data, many of which have been verified by independent sources.

The denial has drawn criticism from cybersecurity analysts and data protection advocates. Experts argue that minimizing or denying the breach undermines public trust and prevents families from taking necessary precautions to protect their personal information. Many also stress that the data itself is authentic, regardless of whether SEP’s active systems were directly breached or the data was taken from an earlier leak.

Impact and Legal Concerns

The SEP data breach represents a severe privacy violation involving minors. The exposure of CURP identifiers, health data, and contact details can lead to identity theft, impersonation scams, and targeted phishing attacks. Because the victims include students under 18, the incident may also violate child data protection regulations under the Federal Law on Protection of Personal Data Held by Private Parties (LFPDPPP) and the General Law on the Protection of Personal Data in Possession of Obliged Subjects (LGPDPPSO).

Furthermore, the inclusion of blood types, medical treatments, and parental income data exceeds the limits of what should ever be stored in non-encrypted administrative systems. If confirmed, this leak indicates systemic mismanagement of personal data within Mexico’s educational infrastructure.

Why the SEP Denial is Problematic

By denying the breach rather than investigating it, SEP risks worsening the situation. Public denial sends the message that no mitigation steps are needed, leaving students and families unaware of the potential consequences. This approach also invites further attacks, as it signals to threat actors that transparency and accountability are weak points within government systems.

Even if the compromised data originated from a previous system or regional database, the information remains sensitive and active in the wild. Once such data is published, it can circulate indefinitely on dark web forums and data-trading channels, making denial ineffective and dangerous.

How Students and Families Can Protect Themselves

Anyone who has attended SEP institutions in recent years should assume that personal or family data may have been exposed. Recommended precautions include:

• Changing passwords on all school-related and personal accounts
• Monitoring emails, phone calls, and SMS messages for phishing or scams
• Never sharing additional private details with unsolicited messages claiming to be from SEP or related entities
• Using security software such as Malwarebytes to detect and remove potential malware from compromised systems
• Reporting any suspicious communication to local authorities or cybersecurity organizations

Parents should also explain to their children how cybercriminals can misuse personal information and encourage them not to share sensitive data online.

Moving Forward: Accountability and Reform

The SEP data breach is more than a one-time event. It highlights long-standing vulnerabilities in Mexico’s public education data management. While SEP’s denial may be an attempt to control public perception, the continuing availability of leaked files proves that major reforms are necessary. Stronger authentication systems, independent audits, and mandatory encryption of student records should be the immediate priority.

Until Mexican authorities acknowledge and address these issues, similar breaches are likely to recur. For many families, the damage is already done, and the leaked information may remain online permanently.

For more updates and detailed cybersecurity reports, visit our data breaches section.