Data leak at Mexico’s power giant threatens to leave the entire country in the dark

A Mexican state-owned power company that serves over 99% of the country has been leaking data online for more than three years. Meanwhile, the company says it's operation has never been compromised.

Cybernews researchers have stumbled across a publicly accessible Kibana instance holding more than 600GB of network and threat alert logs.

The server was managed by Mexican cybersecurity company Teliko, but the data stored belonged to the Federal Electricity Commission (CFE), Mexico’s state-owned electric utility that claims to power over 99% of the population.

The leak is deeply concerning, as threat actors exploiting the exposed data could disrupt the power supply to nearly the entire country of Mexico.

According to the Cybernews research team’s evaluations, attackers could have used the leaked data to cause physical damage to the system. We can neither confirm nor deny that threat actors have obtained the data. However, given that it has been leaking for years, it is likely that a malicious actor has discovered it.

After the article was published, CFE published a statement, reassuring its customers that electrical operation were never in danger. According to CFE, “the operational electricity networks are isolated from the information technology network of the company.”

“CFE reports that the downloaded information, referred to in the note, is from January to October 2022 and does not include sensitive information from CFE’s electricity operating network, since these networks are not interconnected with the company’s Information Technology network. Therefore, it is reiterated: the electrical operation has never been compromised,” reads CFE's statement.

Additionally, the company claims that exposed information only includes details from January to October of 2022.

#CFEInforma | La operación eléctrica de la CFE está segura y no ha sido comprometida. ⚡
Ante la información publicada en internet, aclaramos que en ningún momento ha estado en riesgo el suministro de electricidad en el país.

Las redes operativas eléctricas están totalmente… pic.twitter.com/D0MwZklfzT

undefined CFEmx (@CFEmx) August 14, 2025

CFE internal data exposed

What data CFE was leaked?

• DNS queries from employee machines
• Visited URLs
• Deep Packet Inspection (DPI) logs
• Alerts from anti-malware and network monitoring tools

First indexed in November 2021, the leak contained a feed of CFE’s internal network. The leaking Kibana instance stored data generated by a Managed Detection and Response (MDR) solution called AIsaac.

The instance contained lists of vulnerable devices, servers, and services. For a malicious actor, this information is gold. With these logs, you could map out CFE’s security posture, pinpoint which defenses are weak or missing, and craft an attack guaranteed to slip under the radar. “Once a machine on CFE's network is compromised, attackers could move laterally through the network,” said Cybernews researchers.

“Ultimately, attackers could potentially interact with Industrial Control systems, modifying their settings, which can lead to damage of physical systems or the turning off of critical systems,”

the team added.

Beyond the operational threat, the logs double as a privacy breach. Detailed records of employee internet activity could be mined to identify internal tools, map domain usage, and mimic legitimate services.

Using leaked data, attackers could craft convincing spear-phishing campaigns by registering a look-alike domain, sending an email, and waiting for clicks.

Cybernews tried contacting the company, sending 29 emails in total over the past five months, but has not received a response. At the moment, the exposed Kibana instance appears to be unreachable – timing out and crashing whenever anyone tries to connect.

However, depending on how the leaking party handles the issue, there is a risk that 600GB of sensitive logs could easily resurface, just as publicly accessible as before.

Critical infrastructure increasingly targeted by cybercriminals

Cybersecurity is absolutely essential for organizations that run critical systems, because successful cyberattacks could shut down entire cities, put lives at risk, tank the economy, and burn reputations.“

With this specific case, we can see part of the reason why we see an increased number of attacks against critical infrastructure. Often, these systems rely on third parties that aren't properly vetted, making them easier targets for attackers,” said our researchers.

The researchers remind us that the critical infrastructure heavily relies on industrial control systems (ICS), which are often outdated and use outdated protocols that lack crucial security features such as authentication and encryption.

“As a result, we have an interconnected web of various vulnerabilities and missconfigurations that the attacker can navigate without many technical roadblocks, compared to other industries.”

The critical infrastructure has been increasingly targeted by hackers worldwide, causing disruptions in service. In 2021, the DarkSide ransomware gang turned a few compromised passwords and unpatched security holes into one of the most disruptive cyberattacks in US history.

They forced Colonial Pipeline, the country’s largest fuel distributor, into a five-day shutdown. It was the first time in the company’s 57-year history that operations had ground to a halt. Following the attack, US former president Joe Biden signed an executive order to improve the country’s defences against cyberattacks.

The Iran-linked hacking group CyberAv3ngers has also been waging a dangerous campaign. Using custom-built malware, they’ve breached industrial control systems in water treatment plants, wastewater facilities, and oil-and-gas operations across the US, Israel, and Ireland.

The Russian-linked hacktivist group Anonymous Sudan claimed multiple attacks on Israel’s Industrial Control Systems (ICS) and satellite networks in an attempt to disrupt critical infrastructure. Cybernews research showed that many Israeli industrial control systems are vulnerable to attacks.

Disclosure Timeline:

Leak discovered: March 4th, 2025
Initial disclosure: March 31st, 2025

Updated on August 18th [01:45 p.m. GMT] with a statement from CFE.