Morocco’s Caisse Nationale de Sécurité Sociale (CNSS), the national authority responsible for managing the social security system for private sector employees, has allegedly suffered a significant data breach. A threat actor posted on a dark web forum claiming to have exfiltrated a massive database containing sensitive information belonging to Moroccan citizens. The CNSS is a critical government institution that handles pensions, health insurance, and other social benefits for millions of people, making any potential data leak a matter of national concern.
The perpetrator alleges that they were able to bypass the organization’s security protocols, which they described as weak, including a “bypassable” Two-Factor Authentication (2FA) system. According to the post, this is the second major breach to target the institution. As proof of the intrusion, the threat actor has released a sample of data containing information on 10,000 individuals and families. They have threatened to sell the entire dataset if the CNSS denies the breach.
The full dataset allegedly for sale contains a substantial amount of personally identifiable information (PII). The data advertised by the threat actor includes:
- 220,000 Family Data records
- 750,000 Individual CNSS documents
