A threat group operating under the moniker "La Pampa Leaks" has claimed responsibility for compromising Uruguay's government-sponsored identity service, exposing a purported 5.8 million records of Uruguayan citizens. The incident, surfaced in mid-May 2026, is the latest in a sustained wave of attacks against Latin American public-sector targets, with the regional cybercriminal ecosystem pivoting toward pure-extortion and data-monetization models.
What Happened
In mid-May 2026, the threat actor known as La Pampa Leaks publicly claimed it had breached the identity service operated by Antel, the Uruguayan state-owned telecommunications provider responsible for managing government-sponsored citizen identity infrastructure. According to the claims, the group is monetizing the stolen dataset by operating it as a citizen-data lookup service, allowing third parties to query records against Uruguayan identity information.
The incident fits a broader pattern observed across the region. In February 2026, the Chronus Group claimed compromises across 25 separate Mexican government agencies. In March, Colombia's health ministry absorbed more than 23 million attempted attacks in a single month. Bitsight data places Peru, Mexico, and Brazil among the world's top 10 most-targeted nations, each absorbing at least 90 confirmed breaches in the trailing 12 months.
What Was Taken
La Pampa Leaks claims to have exfiltrated approximately 5.8 million records tied to Uruguayan citizens, drawn from the Antel-managed identity service. While the full schema has not been independently verified, identity-service breaches of this type typically expose:
- National identity document numbers and issuance metadata
- Full names, dates of birth, and registered addresses
- Contact information including telephone numbers and email addresses
- Biographical and demographic attributes tied to government identity records
Uruguay's population is roughly 3.4 million, meaning the claimed record count substantially exceeds the living population, suggesting historical records, duplicates, or aggregated identity transactions are likely included in the corpus.
Why It Matters
The public-administration sector has become the single most-breached industry in Latin America, accounting for 21% (543 incidents) of all regional breaches tracked by Bitsight over the past year. Identity-service compromises are uniquely damaging because the exposed data is non-rotatable: citizens cannot reissue their national identity numbers the way a bank can reissue a card.
Kaspersky's Fabio Assolini notes that regional actors are abandoning encryption-based ransomware in favor of "pure extortion" focused exclusively on high-volume exfiltration. This shift compresses the defender's window: there is no encryption event to trigger incident response, and the first signal of compromise is often the dataset appearing for sale or as a lookup service. For Uruguay, the downstream risk is widespread identity fraud, SIM-swap attacks against Antel subscribers, and targeted social engineering against citizens and government employees.
The Attack Technique
Specific initial-access vectors used against the Antel identity service have not been disclosed publicly. Regional precedent, however, points to recurring entry points exploited by Latin American threat groups:
- Exposed administrative interfaces and credential reuse against contractor-managed government portals
- Exploitation of unpatched perimeter appliances and web applications fronting government data stores
- Compromise of third-party contractors with privileged access to citizen registries
- Social engineering of public-sector staff, often leveraging knowledge of regional political and bureaucratic context
Assolini emphasizes that regional actors possess intimate knowledge of local geopolitical and administrative structures, allowing them to identify which agencies and contractors hold the highest-value data and which have the weakest controls.
What Organizations Should Do
Government agencies, telecommunications providers managing state services, and contractors across the region should treat this incident as a forcing function:
- Inventory and isolate citizen-data stores. Identify every system holding population-scale identity records and enforce segmentation, strict egress controls, and query-rate limiting to detect bulk exfiltration.
- Audit contractor and third-party access. Map every external entity with read access to identity systems, revoke standing privileges, and require just-in-time access with full session logging.
- Hunt for pure-extortion indicators. Shift monitoring focus from encryption events to anomalous data movement: large outbound transfers, off-hours database dumps, and unusual cloud-storage destinations.
- Harden perimeter and identity infrastructure. Patch internet-facing appliances on an accelerated cadence, enforce phishing-resistant MFA on all administrative accounts, and rotate credentials tied to government data platforms.
- Prepare citizen-notification and fraud-monitoring workflows. Coordinate with national data-protection authorities and financial regulators to enable rapid fraud monitoring for affected populations.
- Monitor regional leak channels and lookup services. Track Spanish- and Portuguese-language criminal forums and Telegram channels where regional actors such as La Pampa Leaks and the Chronus Group advertise and monetize stolen government data.
Sources: Latin American Cybercriminals Hoover Up Government Data