Guanajuato Data Breach Exposes 250 GB of Government Files

The Guanajuato data breach has exposed confidential government files, citizen information, and internal records following a ransomware attack against the Fiscalía General del Estado de Guanajuato. The attack, attributed to the Tekir APT ransomware group, has reportedly compromised more than 250 GB of sensitive data from state systems, including those belonging to the attorney general’s office, police department, and municipal entities. According to leaked data shared on the dark web, the attackers encrypted servers and deleted all available backups, threatening to publish the stolen data by November 20, 2025, if no ransom is paid.

Background of the Guanajuato Data Breach

The Fiscalía General del Estado de Guanajuato (FGEG) is the principal public prosecution authority in the Mexican state of Guanajuato, responsible for criminal investigations, legal case management, and digital recordkeeping for the state’s justice system. On November 10, 2025, the office released an official statement confirming that a “preventive review of security controls” was underway to ensure the “optimal functioning of its IT systems.” This phrasing was widely interpreted as an attempt to acknowledge technical disruptions without confirming the full scope of the incident.

The ransomware group Tekir APT later published evidence on a dark web leak site showing that its operators had infiltrated and encrypted government infrastructure linked to pgj-gto.gob.mx. The group claimed that the breach affected every major subdomain, including those operated by the state attorney general, police, and municipality. Screenshots shared by the attackers show server directories, database exports, and administrative control panels confirming unauthorized access to internal systems.

Scope of the Compromise

According to the attackers’ statement, the Guanajuato data breach impacted “all subdomains” under the pgj-gto.gob.mx domain. Tekir APT claims to have encrypted and exfiltrated data from multiple state departments and deleted every backup in the process. The stolen dataset reportedly includes:

• Personal identification data of government employees and citizens
• Internal communications and administrative emails
• Digital legal case files and investigation records
• Sensitive law enforcement documents and reports
• Financial and payroll information from state offices
• Database backups containing authentication credentials

The total size of the stolen data is estimated at more than 250 GB, comprising both structured and unstructured files. Tekir APT provided six images as proof of compromise, showing evidence of server access, lost connections to backup systems, and screenshots of the Fiscalía’s digital environment. The attackers warned that the information will be leaked publicly if payment is not made by November 20, 2025, Mexico time.

Timeline of the Attack

Initial disruptions in the Fiscalía’s IT systems were reported in early November, when employees began experiencing outages across case management and email platforms. On November 9, 2025, multiple local news outlets reported that systems had “collapsed,” with prosecutors and administrative staff unable to access digital records. One day later, the Fiscalía General del Estado de Guanajuato released an official statement referring to a “preventive review of security systems,” a phrase that has since been associated with government responses to ransomware incidents across Latin America.

By November 11, cybersecurity researchers had identified dark web listings confirming the breach, connecting the attack to the Tekir APT ransomware group. The evidence aligns with recent campaigns conducted by the same group against government and educational institutions in Mexico, Brazil, and Argentina.

Details from the Attackers’ Leak Site

The Tekir APT group’s leak portal lists the Guanajuato government under the identifier pgj-gto.gob.mx with a timestamp of November 10, 2025. The listing includes screenshots of encrypted directories and remote desktop sessions showing interrupted connections to backup servers. The group’s message reads: “All subdomains of the state of Guanajuato, such as the attorney general’s office, police department, and municipality, have been compromised and encrypted. All backups have been deleted. The data leak includes 250+ GB of sensitive information such as personal identification details, legal case files, and internal communications. Data will be published if payment is not made by November 20, 2025.”

This statement implies that the ransomware group executed a multi-phase attack involving privilege escalation, lateral movement, and destruction of backup storage. Such tactics are consistent with advanced ransomware operations designed to maximize impact and leverage for ransom negotiations.

Possible Data Exposure

If the attackers’ claims are verified, the breach would represent one of the largest cyber incidents affecting a Mexican state government to date. The data likely includes files from law enforcement operations, active investigations, witness protection records, and confidential legal documentation. Exposure of such materials would compromise not only individual privacy but also ongoing judicial proceedings.

Cybersecurity experts have raised concerns that personal identification data of both public employees and private citizens could already be circulating in underground markets. Files from similar government breaches have previously been resold to criminal networks specializing in identity theft, financial fraud, and extortion. The inclusion of court documents and internal reports in this dataset could also expose sensitive information related to organized crime investigations within the region.

Government Response

In its official statement, the Fiscalía General del Estado de Guanajuato reaffirmed its commitment to information protection, transparency, and service continuity. However, the office did not acknowledge the ransomware attack or any data loss. The announcement emphasized that all public communications must be verified through official channels, suggesting an effort to control the narrative amid growing speculation on social media.

Local digital rights organizations have criticized the lack of transparency, noting that several previous ransomware incidents in Mexico were initially downplayed using similar language. The public has also reported disruptions in access to official websites and online case tracking systems, adding credibility to the attackers’ claims. No evidence has emerged that the government intends to negotiate with the ransomware group.

About the Tekir APT Group

Tekir APT is an emerging ransomware operation identified in 2025 that has conducted multiple attacks targeting Latin American institutions. The group’s operations focus on governmental and educational sectors with weak backup strategies and limited incident response resources. Tekir APT uses custom-developed malware designed to exfiltrate large volumes of data before initiating encryption, ensuring that stolen materials can be used for double extortion even if systems are restored.

The group’s infrastructure includes a dark web leak site and a network of anonymized servers used to communicate ransom demands. In prior attacks, Tekir APT has threatened to leak sensitive data if victims fail to respond within short deadlines, typically between seven and ten days. The group’s tactics align with those used by other high-profile ransomware collectives such as CL0P, LockBit, and RansomHouse, though Tekir appears to operate primarily in Spanish- and Portuguese-speaking regions.

Regional Cybersecurity Impact

The Guanajuato data breach adds to a growing list of cyberattacks targeting Latin American government systems. Over the past year, ransomware groups have breached public institutions in Mexico, Peru, and Chile, often exploiting outdated software and poor network segmentation. These attacks demonstrate a trend in which ransomware operators exploit local infrastructure and limited cybersecurity budgets to extract maximum leverage.

In Mexico, previous breaches have targeted federal entities and state police departments, including incidents affecting Mexico City’s Secretariat of Citizen Security and the Attorney General’s Office of Quintana Roo. The attack on Guanajuato marks an escalation, as Tekir APT claims to have compromised not just one department but multiple interconnected systems across the entire state.

Risk to Citizens and Public Services

The Guanajuato data breach has significant implications for both government operations and citizens. With police and judicial systems potentially compromised, there is an immediate risk to the integrity of criminal case files, including evidence chains and witness data. The exposure of these materials could jeopardize prosecutions, enable tampering, or place individuals at physical risk.

Citizens whose personal information was stored within government databases may face threats of identity theft and fraud. Attackers can use national identification numbers, contact details, or legal documentation to commit financial crimes or target victims with phishing schemes. Law enforcement agencies must now assess whether exposed data could affect the security of ongoing investigations involving organized crime.

Preventive Actions and Mitigation

Authorities in Guanajuato must immediately isolate affected networks and coordinate with Mexico’s National Cybersecurity Coordination Center (CNCS) to contain further spread. Systems should be restored only from verified offline backups, and all compromised accounts must undergo password resets and access audits. It is also essential to deploy endpoint protection systems capable of detecting residual ransomware executables and data exfiltration tools.

Individuals and organizations within the region should adopt proactive security measures, including multi-factor authentication, encryption for stored data, and offline backup storage. Regular security assessments and employee awareness training can reduce the risk of phishing-based infiltration. For individuals concerned about potential data exposure, using a trusted anti-malware tool such as Malwarebytes can help detect malicious software that may be used in follow-up scams related to this incident.

Wider Implications

The Guanajuato data breach highlights the urgent need for stronger cybersecurity frameworks within Mexican public institutions. State and municipal governments often rely on outdated infrastructure without sufficient investment in modern defenses. This incident illustrates how ransomware groups exploit regional vulnerabilities to conduct large-scale data theft and extortion. It also underscores the importance of regional cooperation among Latin American cybersecurity agencies to track ransomware actors that frequently shift operations across borders.

In recent years, government systems in Latin America have become lucrative targets for cybercriminal groups because of their sensitive data and limited technical resilience. Analysts warn that unless nations improve their national cybersecurity strategies, these attacks will continue to escalate in frequency and sophistication.

Data Breach Summary

• Organization: Fiscalía General del Estado de Guanajuato
• Location: Guanajuato, Mexico
• Threat Actor: Tekir APT ransomware group
• Incident Type: Ransomware and data exfiltration
• Data Exposed: Legal records, personal data, case files, and internal communications
• Data Volume: 250 GB+
• Deadline: November 20, 2025
• Status: Ongoing, data pending publication

The Guanajuato data breach stands as a critical reminder of the vulnerability of government institutions to modern ransomware threats. With 250 GB of sensitive data allegedly stolen and encrypted, the state faces severe operational and reputational damage. As forensic investigations continue, authorities must prioritize transparency and invest in robust cybersecurity infrastructure to prevent future incidents of this scale.

For verified coverage of major data breaches and the latest cybersecurity threats, visit Botcrawl for ongoing updates and expert analysis on global digital security events.