TechTarget and Informa Tech’s Digital Business Combine. Dark Reading Resource Library Black Hat News Omdia Cybersecurity Advertise NEWSLETTER SIGN-UP Cybersecurity Topics World The Edge DR Technology Events Resources CYBERATTACKS & DATA BREACHES CYBER RISK CYBERSECURITY OPERATIONS THREAT INTELLIGENCE NEWS Breaking cybersecurity news, news analysis, commentary, and other content from around the world, with an initial focus on the Middle East & Africa and the Asia Pacific Latin American Cybercriminals Hoover Up Government Data A purported leak exposing 5.8 million records of Uruguayan citizens is the latest incident where cybercriminals targeted government agencies to monetize citizen data. Robert Lemos,Contributing Writer May 27, 2026 4 Min Read SOURCE: JHONNY MARCELL OPORTUS VIA SHUTTERSTOCK Cyber threat groups in Latin and South America have increasingly targeted government agencies and contractors, stealing and monetizing citizen data at a rate that has made the public-administration sector in the region the most-breached in the past year. In mid-May, a group known as La Pampa Leaks claimed to have compromised Uruguay's government-sponsored identity service managed by telecommunications provider Antel, reportedly monetizing the information as a citizen-data lookup service. In February, a hacking collective known as the Chronus Group claimed to have stolen data from 25 different Mexican government agencies and groups. And, in Colombia, cyberattackers targeted the nation's health ministry with more than 23 million attempted attacks during the month of March. The region has spawned its own cybercriminal ecosystem, with local cybercriminal groups targeting government agencies and municipal infrastructure in nations such as Chile, Colombia, Mexico, and Uruguay, says Fabio Assolini, lead security researcher at Kaspersky's Global Research and Analysis Team (GReAT). Related:China's 'FamousSparrow' APT Nests in South Caucasus Energy Firm "Unlike global cartels that cast a wide net, these actors intimately understand the regional geopolitical landscape," he tells Dark Reading, adding that they have their own playbooks as well: "Moving away from traditional operational models, these groups are pivoting to 'pure extortion' attacks, bypassing the encryption phase entirely to focus solely on high-volume data exfiltration." Also on attackers' radar in the past year: organizations in Peru, Mexico, and Brazil, which have suffered at least 90 data breaches each, placing them in the top 10 most-targeted nations, according to data from Bitsight, a cyber-risk platform provider. In addition, "public administration" topped the list of industry sectors for breach victims, accounting for 21%, or 543, breaches in the past 12 months, according to the company's data. Public administration has dominated as the economic sector most targeted by cybercriminals. Source: Bitsight LOADING... While cyber-threat actors may be finding fertile fields for attacks in the region, the geopolitical environment in Latin America adds another layer to the cyber threat landscape, says Emma Stevens, a threat intelligence researcher at Bitsight. "Elections, political differences, economic instability, and foreign influence concerns can make government institutions more attractive to hacktivists, state-aligned actors, and financially motivated groups," she says. "Recent activity across Uruguay, Paraguay, Argentina, and Mexico suggests repeated targeting of public-sector and citizen-adjacent systems, not just isolated incidents." Related:Middle East Cyber Battle Field Broadens — Especially in UAE LatAm Cybercriminals Lean Toward Different Attack Playbooks Like other threat actors, those targeting the Latin American threat landscape tend to focus on hacktivism, financial gain, or nation-state activity. Yet, in many ways, they also have their own playbooks. While regional threat actors utilize the same initial access and lateral movement strategies as major ransomware groups, their post-exploitation behavior differs significantly, says Kaspersky's Assolini. "Instead of deploying encryptors, they quietly siphon governmental databases," he says. "Their strategy relies on psychological and public pressure, mirroring the modus operandi of groups like ShinyHunters." In late May, for example, the ransomware group Bashe, also known as APT73, claimed a compromise of Grupo Petersen, an engineering and construction company that works on many public-works projects in Argentina. The group is one of the regional groups known for often fabricating data breach claims using publicly accessible data, or reusing data from previous breaches. Antel, for example, downplayed La Pampa Leaks' claims of a breach by saying (via Google Translate) that "passwords, signature PINS, private keys associated with digital certificates, or credentials were not compromised, so the operation or authentication mechanisms currently used by the platform have not been affected." Related:Chinese APT Abuses Multiple Cloud Tools to Spy on Mongolia Ransomware groups in other regions have used broad claims to put pressure on victims, but the technique is especially prevalent in Latin America, says Kaspersky's Assolini. "A significant portion of these 'new' announcements are elaborate deceptions," he says. "Cybercriminal groups frequently recycle historical, publicly available data — from older, well-known breaches — mix it with auto-generated records, and falsely attribute it to a new corporate target. " More Regional Regulations Attract Extortion Attempts One reason attacks on governments in the region have grown so quickly: when faced with a ransom demand, public agencies will often weigh the cost against the potential legal and political consequences of a public leak, says Assolini. More nations in the region are adopting strict cybersecurity rules and requiring that agencies and contractors comply. "Cybercriminals have realized that regulatory compliance can be weaponized," he says. "By threatening to publish sensitive citizen data, attackers leverage the victims' fear of massive government fines, political fallout, and severe reputational damage." Organizations should build resilience in the areas that cyber threat actors continue to focus, such as exposed services, weak identity controls, unpatched vulnerabilities, and open ports, says Bitsight's Stevens. "For LatAm CERTs specifically, identity security and exposed infrastructure should come first, because those are the areas that can turn a single weak point into a much larger public-sector incident," she adds. Read more about: DR Global Latin America About the Author Robert Lemos Contributing Writer Rob is an award-winning, veteran technology journalist of more than 30 years, reporting on global cybersecurity issues, the latest offensive and defensive technologies, malware incidents, cyber conflict, and AI's impact on software and cybersecurity. A former research engineer, Rob has written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. He has received five awards for journalism, including Best Deadline Journalism (Online) in 2003 for his coverage of the Blaster worm. Rob also analyzes data on various trends using Python and R for both his reporting and his clients. Recent reports include analyses of the shortage in cybersecurity workers, annual vulnerability trends, and annual threat reports. Rob holds degrees from Cornell University in Electrical Engineering and Computer Science (double major). Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports How Organizations Are Managing Incident Response How Enterprises Are Developing Secure Applications Inside RSAC 2026: security leaders reveal the risks redefining your defense strategy Essential News & Insights from Black Hat USA 2025 How Enterprises Are Harnessing Emerging Technologies in Cybersecurity Access More Research Webinars Build vs. Buy: The Hidden Cost of Building Your Own AI Security Stack Defending in the Shadow Era: When the CVE Feed Goes Dark Building SecOps That Make the Most of Every Dollar AI-Powered Credential Security: Intelligence Without Exposure AI-Powered Cybersecurity for Resource-Constrained Organizations More Webinars You May Also Like CYBERATTACKS & DATA BREACHES Critical Fortinet Flaws Under Active Attack by Jai Vijayan, Contributing Writer DEC 17, 2025 CYBERATTACKS & DATA BREACHES CISA Warns of 'Ongoing' Brickstorm Backdoor Attacks by Rob Wright DEC 04, 2025 CYBERATTACKS & DATA BREACHES F5 BIG-IP Environment Breached by Nation-State Actor by Alexander Culafi OCT 15, 2025 CYBERATTACKS & DATA BREACHES Jaguar Land Rover Shows Cyberattacks Mean (Bad) Business by Robert Lemos, Contributing Writer OCT 03, 2025 Editor's Choice CYBERSECURITY OPERATIONS 20 Leaders Who Built the CISO Era: 2 Decades of Change byDark Reading Editorial Team MAY 12, 2026 41 MIN READ APPLICATION SECURITY It's Patch Tuesday for Microsoft & Not a Zero-Day In Sight byJai Vijayan MAY 12, 2026 5 MIN READ CYBERATTACKS & DATA BREACHES Instructure Breach Exposes Schools' Vendor Dependence byAlexander Culafi MAY 6, 2026 4 MIN READ Want more Dark Reading stories in your Google search results? Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE LOADING... Webinars Build vs. Buy: The Hidden Cost of Building Your Own AI Security Stack THURS, JUNE 25, 2026, AT 1PM EST Defending in the Shadow Era: When the CVE Feed Goes Dark TUES, JUNE 16, 2026 AT 1PM EST Building SecOps That Make the Most of Every Dollar THURS, JULY 9, 2026 AT 1PM EST AI-Powered Credential Security: Intelligence Without Exposure WED, JUNE 17, 2026, AT 1PM EST AI-Powered Cybersecurity for Resource-Constrained Organizations THURS, JUNE 18, 2026, AT 1PM EST More Webinars BLACK HAT USA