Peru's Fondo Social del Proyecto Integral Bayóvar (FOSPIBAY), a social fund operating in Sechura, has allegedly suffered a significant data breach exposing 12,400 user accounts, 4,721 DNI (Documento Nacional de Identidad) numbers, and thousands of additional sensitive records. According to reporting from Daily Dark Web, threat actors reportedly gained access through a combination of SQL injection exploitation and weak administrative credentials, compromising a trove of personally identifiable information tied to Peruvian citizens participating in the Bayóvar project's social programs.

What Happened

FOSPIBAY, the social fund tied to the Integral Bayóvar Project in northern Peru's Piura region, was targeted in a cyberattack that leveraged a classic web application vulnerability: SQL injection. Attackers reportedly combined this flaw with the exploitation of weak administrative credentials to access the organization's backend systems and exfiltrate customer and transactional data. The incident was first surfaced publicly through threat intelligence monitoring of dark web forums and leak channels, where the stolen dataset was advertised.

FOSPIBAY operates as a social investment fund intended to channel development resources to communities affected by phosphate extraction activities in the Sechura desert region, making the exposed population particularly vulnerable from both an economic and identity-theft perspective.

What Was Taken

The allegedly compromised dataset is broad in scope and highly sensitive, spanning identity, financial, and behavioral records:

• 12,400 user accounts (user IDs, usernames, email addresses)
• 4,721 DNI numbers (Peruvian national identity document numbers)
• 3,200 order records
• 2,103 phone numbers
• 1,842 physical addresses
• 987 payment card records
• Password hashes
• Registration timestamps
• Billing and shipping details

The inclusion of DNI numbers is especially damaging. In Peru, the DNI functions as the primary identity document required for banking, government services, voting, and employment verification, making it a prime vector for downstream identity fraud.

Why It Matters

This breach reflects a recurring pattern across Latin American public-facing organizations: legacy web applications with insufficient input validation continue to be exploited with decades-old techniques. For a social fund whose beneficiaries often represent rural or economically marginalized populations, the fallout is disproportionately harsh. Victims may face targeted phishing, SIM swap attempts, fraudulent loan applications, and impersonation using their DNI credentials.

Strategically, the incident also highlights the systemic risk presented by small and mid-sized public-interest entities that handle citizen-level PII without the security maturity typical of national-level agencies. Threat actors are increasingly probing these softer targets, knowing the data they hold is equivalent in value to that of far larger organizations.

The Attack Technique

According to available reporting, the intrusion chain combined two well-understood weaknesses:

1. SQL Injection (SQLi): A web application vulnerability allowing attackers to inject crafted SQL statements into database queries, typically through unvalidated form fields or URL parameters. Successful exploitation enables data extraction, authentication bypass, or in some cases remote command execution via database features.
2. Weak Administrative Credentials: Once initial footholds were established, attackers reportedly leveraged weak or guessable admin-level credentials, suggesting either the absence of multi-factor authentication, use of default credentials, or failure to enforce password complexity standards.

This combination, SQLi plus weak admin auth, is a hallmark of opportunistic breach campaigns targeting regional government, NGO, and mid-market commercial portals.

What Organizations Should Do

Defenders operating similar public-sector or social-fund platforms should treat this incident as a wake-up call and take immediate action:

1. Audit all web applications for injection vulnerabilities. Deploy parameterized queries, prepared statements, and server-side input validation. Supplement with a Web Application Firewall (WAF) capable of detecting SQLi signatures.
2. Enforce MFA on all administrative accounts. No admin interface should be accessible with a password alone, particularly when exposed to the public internet.
3. Rotate and harden credentials immediately. Eliminate default passwords, enforce strong complexity requirements, and audit for reused credentials across systems.
4. Review password hashing standards. If legacy hashes (MD5, SHA-1, unsalted SHA-256) are in use, migrate to bcrypt, Argon2, or scrypt with appropriate work factors.
5. Segment databases containing PII. Ensure that a compromised web tier cannot directly query sensitive citizen data without intermediate authorization controls.
6. Notify affected individuals and regulators. Under Peru's Ley de Protección de Datos Personales (Law No. 29733), organizations are required to notify the Autoridad Nacional de Protección de Datos Personales (ANPD) and affected data subjects of incidents involving personal data.

Monitoring dark web channels for further distribution of the FOSPIBAY dataset, and providing affected Peruvian citizens with identity-theft guidance, should be considered urgent next steps for both the organization and national cybersecurity authorities.

Sources: FOSPIBAY Data Breach Exposes User Accounts and DNI Records - Daily Dark Web