Defensoría del Pueblo de Colombia Data Breach Exposes 2.2 Million Files

A threat actor identified as Kazu has claimed responsibility for a significant cyberattack targeting the Defensoría del Pueblo de Colombia, the Colombian ombudsman’s office responsible for human rights protection. The Defensoría del Pueblo de Colombia data breach reportedly resulted in the theft of over 2,254,663 files, amounting to 466.2 gigabytes of data. The attackers are demanding a $100,000 ransom to prevent the sale of the stolen information, giving officials until November 24, 2025, to respond.

The breach affects one of Colombia’s most critical government institutions, which operates independently from other branches of government and plays a vital role in defending civil rights, promoting transparency, and monitoring public institutions. The stolen data may include internal records, legal files, complaint forms, and communications related to human rights investigations and public grievances.

Background on the Breach

The attack was first revealed on November 10, 2025, after a listing appeared on a major cybercrime forum. The post, authored by Kazu, included the official logo of the Defensoría del Pueblo and a direct link to its public website, defensoria.gov.co. The threat actor’s description identified the organization as a “constitutional and autonomous institution responsible for protecting and promoting human rights across Colombia.” According to the forum post, the hacker group exfiltrated sensitive data from the organization’s internal network, including documents that may contain personal and legal information from citizen reports and case management systems.

The post also outlined the scope of the breach:

• Total records exfiltrated: 2,254,663 files
• Total data size: 466.2 GB
• Ransom demand: $100,000
• Deadline: November 24, 2025

The hacker warned that if negotiations did not begin before the deadline, the entire dataset would be sold on the dark web. Contact information was provided through encrypted messaging platforms such as Signal, Session, and Telegram, which is a common tactic among ransomware groups to facilitate private ransom discussions.

Threat Actor Profile: Kazu

The attacker known as Kazu is an active figure on underground forums, where they have previously shared or sold data linked to government and corporate breaches. The profile shows a relatively new account, created in mid-2025, but with multiple listings indicating consistent access to large, sensitive datasets. The Defensoría del Pueblo de Colombia data breach appears to be one of the most serious incidents attributed to this actor so far, both in scale and in the sensitivity of the targeted organization.

Unlike hacktivist breaches that aim to expose corruption or political misconduct, this attack appears to be financially motivated. The inclusion of a fixed ransom amount and a negotiation deadline follows typical ransomware extortion patterns seen in other high-profile cases. However, no ransomware strain has yet been publicly associated with the incident, suggesting that the attackers may have manually exfiltrated files without encrypting systems.

Data Exfiltration and Potential Exposure

While no data samples have been independently verified, the attackers claim that the stolen files contain confidential records from within the ombudsman’s human rights database. This could include:

• Citizen complaint forms and case documentation
• Internal correspondence between regional offices
• Records related to human rights investigations
• Employee and administrative files
• Legal and oversight documentation shared with state entities

If these claims are accurate, the breach could expose highly sensitive details about vulnerable individuals, activists, or victims of human rights violations. The public release or sale of such data could lead to reputational harm, compromised investigations, and even physical risk to individuals identified in the stolen files.

Ransom Demand and Extortion Strategy

The threat actor’s post specifies a ransom of $100,000, a moderate amount compared to many large-scale ransomware operations, suggesting an independent or small criminal operation. The message reads, “Contact us on Signal to negotiate this ransom or all your data will be sold.” This phrasing aligns with typical ransom tactics where attackers apply time pressure to encourage faster payment decisions. The listed deadline of November 24, 2025, indicates that the group may already be engaging in negotiations or preparing for public release if demands are not met.

Cybercrime investigators note that by posting on high-visibility forums, attackers often attempt to create urgency and public embarrassment to increase the likelihood of payment. In some cases, these listings serve as leverage while private negotiations occur through encrypted channels.

Verification and Ongoing Investigation

Dark web monitoring sources and cybersecurity analysts are actively investigating the authenticity of the Defensoría del Pueblo de Colombia data breach. Early analysis suggests that the threat is credible, as the data volume and file count match internal system structures used by Colombian government agencies. Hackmanac and other intelligence aggregators have listed the breach as “pending verification” but have classified it under the government sector with a “cybercrime” threat class.

Colombian media and government agencies have not yet issued public statements regarding the incident. However, experts expect that official confirmation or denial may follow as forensic investigations progress. Due to the nature of the affected institution, any data exposure could have serious implications for ongoing human rights investigations and legal proceedings.

Impact on Government Operations and Human Rights Oversight

The Defensoría del Pueblo plays a central role in ensuring that state entities respect constitutional rights and uphold national and international human rights standards. A breach of this magnitude could compromise the confidentiality of ongoing cases, whistleblower identities, and sensitive testimony records. It could also disrupt internal communication channels, case management systems, and legal workflows.

Beyond data loss, the Defensoría del Pueblo de Colombia data breach raises broader concerns about the cybersecurity maturity of Latin American public institutions. Despite ongoing modernization efforts, many agencies continue to rely on legacy systems and fragmented IT infrastructures that lack robust monitoring and incident response capabilities. This creates ideal conditions for ransomware groups and data extortion actors to exploit.

Regional and International Implications

Colombia has faced an increasing wave of cyberattacks against public-sector organizations in recent years. The scale and sensitivity of this latest breach may draw the attention of international partners and digital rights organizations. If verified, this incident could become a catalyst for new government initiatives focused on data protection, digital sovereignty, and cross-border collaboration on cyber defense.

Experts recommend that affected institutions conduct immediate system audits, isolate compromised servers, and deploy forensic tools to determine how access was gained. Citizen outreach may also be required if personal data belonging to the public was exposed. In cases involving human rights data, international privacy frameworks may necessitate further protective actions.

Ongoing Monitoring and Next Steps

As of now, the exfiltrated data has not been released publicly. Cybersecurity researchers continue to monitor underground channels for new uploads, sales activity, or shifts in ransom negotiation. If no agreement is reached before the November 24 deadline, a full leak could occur, resulting in widespread data exposure and reputational damage for the agency.

The Defensoría del Pueblo de Colombia data breach serves as a reminder of the growing intersection between cybercrime and governance, particularly in institutions that handle civil and human rights data. Strengthening national cybersecurity infrastructure, implementing proper encryption, and investing in staff training are essential steps to mitigate the likelihood of future incidents of this nature.

For ongoing updates about the Defensoría del Pueblo de Colombia data breach and related incidents, visit Botcrawl’s data breaches and cybersecurity sections.