Cybercriminals Attacked National Social Security Fund of Morocco - Millions of Digital Identities at Risk of Data Breach

Introduction

Resecurity has identified a threat actor targeting government systems in Morocco to exfiltrate large volumes of sensitive data relating to citizens. Using the alias 'Jabaroot,' the actor released claims about the successful compromise of the National Social Security Fund of Morocco (CNSS). The motive behind the data breach remains unclear, but the scale of compromise already generated attention across the region's cybersecurity community and privacy experts. The breach could be interpreted as Morocco's most significant cyber-attack by several victims (consumers).

The Morocco National Social Security Fund (CNSS), or Caisse Nationale de Sécurité Sociale, is a public institution responsible for managing the compulsory social security plan for salaried employees in Morocco's private sector, covering healthcare, disability, and retirement benefits. Like organizations in the US and EU, such funds store a significant amount of digital identity information relating to citizens. A data breach of such scale will likely have a negative, long-lasting impact on citizens' data that could create risks of fraud and identity theft. The CNSS is the primary social security administrative body in Morocco. Established in 1961 to replace the Caisse d'Aide Sociale (initially established in 1942), CNSS has played an essential role in the social protection of private sector workers.

What it covers:

Healthcare:
Provides access to hospitalization, medical services, and other treatments for insured individuals and their dependents.

Pension:
Responsible for the pension system, providing retirement benefits to eligible individuals.

Unemployment:
Administers unemployment benefits, providing financial support to eligible individuals who lose their jobs.

Other benefits:
The CNSS also provides benefits for maternity, disabilities, family allowances, death grants, and survivor's pensions.

Cybercriminal or Espionage Narrative

April 8, 2025 - An actor has leaked a massive volume of stolen data in CSV and PDF files. The data has been published on one of the prominent underground forums on the Dark Web. Interestingly, the actor has never offered this data for sale and did not attempt to monetize it privately. According to inside information, the actor could have tried to receive a ransom payment from the government, but his demands have never been met.

On the other hand, such tactics are also typical for advanced espionage groups targeting governmental agencies. To avoid attribution, such actors prefer to operate under the guise of cybercriminal motives as hacktivists. Resecurity is investigating the incident in collaboration with law enforcement to determine the possible circumstances of this data breach.

Resecurity has acquired the data and alerted its customers so they can validate its authenticity. The feedback collected confirmed that the data was valid, leaving the affected victims concerned that their Personally Identifiable Information (PII) had become public due to a breach of the governmental agency. Notably, none of them has received any notification from the regulators or the affected party, which raises specific concerns about the coordination and transparency of data breach disclosure and consumer rights advocacy.

The actor has created a Telegram channel where, as the main motive of his attack, he outlined the compromise of the Twitter account of the Algerian Press Service (APS) by Moroccan hackers. The conflict in cyberspace between Algerian and Moroccan hacking groups is well-known, which could also be one of the reasons behind this activity.

The actor also leaked the salary information of several government officials, accusing them of downplaying the incident.

The Scope of the Data Breach

The threat actor has leaked a CSV file containing personal information about 1,996,026 employees from various enterprises operating in Morocco. Notably, the CNSS has presumably more than 40,000 reporting companies and over 3.9 million employees in its system, so the data breach could be interpreted as large-scale. This leaked data should also concern the employee’s employers, the employees, and various commercial and governmental agencies, as bad actors can use it for dubious actions, including being used in a social engineering campaign to breach the employee’s employer or to compromise the user’s accounts on various Internet services.

The stolen dataset was included in a 7z archive with timestamps from November 29, 2024. It is unclear whether the actual date of the incident is from last year, and the actor may not have been willing to publish it earlier to benefit from acquiring this data exclusively but later decided to leak it.

The leaked data includes files related to enterprises and individuals, reporting their salaries and associated personally identifiable information (PII) details.

- enterprises
companyName
affiliateNumber
dateAdhesion
dateAffiliation
typeAdherent,
companyNameMandataire,
affiliateNumberMandataire,
modaliteTelepaiement,
agence,
directionRegionale,
admin_firstName,
admin_lastName,
admin_cin,
admin_email,
admin_phoneNumber,
admin_isRL,
bank_accountId,
bank_bankCode,
bank_adherent_id,
bank_adherent_numAffilie
bank_adherent_typeAdherent
bank_adherent_modaliteTelepaiement
bank_adherent_adherentMandataire
bank_adherent_raisonSocial,
bank_accountState,
bank_accountDefaultState,
bank_dateCreation
bank_accountRIB

- individuals
ID_adherent,
newImmatriculatedId,
firstName,
lastName,
immatriculationNumber,
cin,
passportNumber,
residenceNumber,
creationDate,
demandMode,
affiliateName,
affiliateNumber,
demandState

The negative side effect of this data breach is the disclosure of citizens' passports, emails, salaries, and banking information. Fraudsters are exploiting such data for online banking theft via social engineering, and the victims have a challenging time protecting themselves against it. They will have to replace their documents, which is not always practical or technically feasible.

The data breach also affected government employees. Representatives of the multiple government agencies in Morocco have been identified in the leak.

Victims include employees of the Moroccan Agency for Investment and Export Development (AMDIE), the Ministry of Economy and Finance, the Ministry of Health, the National Agency for the Promotion of Small and Small Businesses (Maroc PME), the Moroccan Pension Fund, the General Treasury of the Kingdom, ONSSA—the National Office for Product Safety, and other agencies.

The breach affects entities in Morocco and poses a risk for foreign companies operating in the country, as multiple branches of EU-based companies have been identified in the leaked data.

The impacted companies include entities operating in various fields, including but not limited to:

• Aviation
• Government
• Financial institutions
• Energy
• Utilities
• Logistics
• Technology
• Oil & Gas

Significance

Notably, almost 2 years ago, Morocco’s National Social Security Fund (CNSS) issued an official statement alerting individuals about the danger of disclosing their personal information to unreliable sources, as it can be exploited for fraudulent purposes.

The statement noted that the CNSS “disassociates itself from individuals who have contacted several citizens impersonating representatives of the fund, demanding their banking information.”

In this regard, the CNSS has pledged to closely monitor and investigate all individuals involved in such fraudulent schemes and to take all necessary legal action against them.

This notification may confirm that Morocco is an attractive target for cybercriminals, considering the growing digitization in the country.

Conclusion

The situation surrounding the CNSS highlights the growing cybersecurity challenges in Morocco, particularly as cybercriminals become more sophisticated in their tactics. It underscores the need for governmental and individual vigilance to protect sensitive information against cyber threats.