Latin American governments have embraced digital platforms for citizen services but an investigation reveals a stark pattern of privacy abuses. In multiple countries, sensitive personal data from online portals have been exposed or misused: health records leaked from Brazil’s digital vaccine system, journalists’ IDs stolen in Mexico’s e-government site, and national ID databases breached in Argentina and Peru.
Experts warn that with “weak legal frameworks” and rapid tech adoption, the region has become “ripe for abuses”. This exposé details how Brazil, Mexico, Argentina and others have left citizens’ data vulnerable on tax, health and ID platforms, and why lawmakers and activists are now demanding urgent reforms in Latin American eGovernment Platforms.
Brazil: Health Data Breaches and Cyberattacks
Brazil’s e-government systems have suffered some of the region’s worst breaches. In January 2021, cybersecurity analysts spotted “the largest personal data leakage in Brazilian history”, reportedly the details of over 223 million people. Later that year, hackers calling themselves Lapsus$ took down the Health Ministry website, seizing COVID-era data. According to Reuters, critical systems for immunization records and digital vaccine certificates were compromised, and an apparent ransomware attack erased millions of Brazilians’ vaccination data.
Almost in tandem, press investigations found that Brazil’s digital health portal (SUS) had hard-coded credentials in its website source. Because the login was simply Base64-encoded and publicly viewable, any user could decode it and access all patient records.
The leak exposed names, addresses and telephone numbers of 243 million Brazilians – more records than the living population of Brazil. This database even included full medical histories and details for both living and deceased citizens. The scale shocked experts: one analyst noted that Latin America had the highest share of unprotected data of any region in the world in 2022.
Brazilian civil society is demanding accountability. The country’s new data protection law (LGPD) is only just being implemented, and many complain enforcement has lagged. As one commentator put it, merely having a law is “just an embryonic step” if organizations don’t truly integrate privacy into their operations. Brazil’s data authority (ANPD) was only fully formed in 2021 and has issued few regulations. Privacy advocates argue that without strict security audits and penalties for negligence, millions more citizens’ records could end up exposed.
Mexico: Journalist Data Leak and the Biometric ID Debate
In Mexico, even government allies fell victim. In early 2024, the personal details of hundreds of journalists were published online, after someone gained access to a government press credential database. Reporters’ full names, home addresses, voter ID numbers and passport scans appeared on hacker forums. A veteran Mexico City correspondent confided, “What I’m worried about is possible identity theft” as her ID card and other documents were circulating publicly. Human rights groups urged an immediate investigation, noting the leak exposed data on dozens of reporters covering politics and security.
Meanwhile, Mexico is rolling out a new national ID system, the biometric CURP. The law passed in 2024 mandates fingerprint, iris and facial scans for everyone’s ID. Officials say it will streamline services and help locate missing persons, but civil liberties experts have sounded the alarm. As one analyst notes, the reform “has raised significant government surveillance issues”: prosecutors, the national guard, and intelligence agencies will have consultation access to citizens’ biometric and personal data.
In sum, Mexico’s privacy crisis combines both a breach that put journalists at risk and a looming expansion of surveillance capabilities through its e-government design.
Argentina: Digital ID Hacks and Surveillance Warnings
Argentina’s e-government platforms have also faced high-profile intrusions. In December 2024 hackers defaced Mi Argentina (the national digital ID portal) and the SUBE transit card app, taunting officials while millions of citizens were temporarily locked out. The attackers claimed to have lifted personal data from both systems, prompting urgent security reviews. Authorities blamed outdated infrastructure and underfunding, as even basic functions (like applying for digital IDs or topping up bus cards) were disrupted.
On the policy front, Argentina has charted a different path. Buenos Aires City recently launched QuarkID, a blockchain-based digital identity app letting citizens store ID documents themselves. Over 3.6 million porteños have adopted QuarkID since its October 2024 launch. By decentralizing user data, officials say they can speed up services while giving people control over their information.
This contrasts sharply with centralized surveillance systems. Indeed, privacy advocates remember earlier warnings: as far back as 2012, analysts cautioned that merging facial recognition and fingerprints into Argentina’s national registry risked enabling “mass surveillance”. Today’s reforms show a split: some Argentine innovators embrace privacy-preserving designs, even as government reliance on official databases raises old concerns.
Peru and Beyond: Biometrics and Government-Aid Exploits
Biometric ID initiatives and COVID-era platforms have also backfired elsewhere. In Peru, RENIEC (the national ID registry) adopted advanced facial-recognition tech in 2025. But a hacker reportedly published over 146,000 high-resolution face images (linked to Peru’s DNI IDs) on a dark web forum.
These digital portraits were supposed to be confidential; their exposure is particularly troubling because biometric data cannot be “changed” if stolen. In the same vein, Salvadorans were startled to see an 80% population leak: 5.1 million records (names, DUI numbers) with selfie ID photos surfaced online. Without standard security practices (like storing encrypted biometric templates), these files are a gold mine for fraudsters.
COVID-19 tracking schemes also had privacy flaws. For example, Peru’s pandemic cash transfer platform was found vulnerable: investigators showed scammers could claim subsidies by exploiting leaked RENIEC data. Similar contact-tracing or quarantine-check apps in the region were rolled out hastily, often without clear data governance. An LSE study of Latin American COVID apps warned that in the rush, many countries lacked robust laws to protect personal movement data.
Other Latin countries had notable breaches. Colombia and Chile have faced hacker attacks on public registries; e.g., in 2010 a Chilean hacker posted data on 6 million nationals (around 40% of the population) after breaching government servers. In summary, from biometric ID projects in Peru and El Salvador to subsidy platforms and travel logs, each case shows how Latin American digital tools can infringe privacy when mismanaged. Region-wide, experts note, citizens’ movements and records can now be monitored in unprecedented ways.
Impact on Citizens and Expert Voices
The human toll is clear. Journalists in Mexico report feeling “more vulnerable” after the data leak. Brazilian patients wonder who may have peered into their health profiles. Rights activists and technologists like Veridiana Alimonti (EFF) warn that “the degree of intrusiveness” of these systems “has been advancing in the region”.
Latin American privacy lawyers note that even when laws exist, enforcement is weak. One Brazilian commentator summed it up: without cultural and institutional change, fancy data-protection laws are “next to useless”. In many cases victims have no easy remedy – data may have been harvested irreversibly. Civil society groups (from Open Knowledge Brasil to Privacy International) are now training a spotlight on these abuses, calling for investigations, fines for negligence, and support for affected individuals.
Reforms and Safeguards Required For Latin American eGovernment Platforms
Latin American governments and international partners are beginning to respond. Brazil’s ANPD is investigating the health data leaks, and the president announced tighter audits on federal platforms. Mexico’s data watchdog (INAI) has sought input on the new CURP law’s privacy impact. Peru’s ministries have pledged forensic reviews after the RENIEC breach. But activists say much more is needed. Key recommendations include:
Mandatory Encryption & Segregation. Sensitive data (especially biometrics) must be stored as encrypted templates in separate systems. As experts note, if facial images are “held in a different database” and encrypted, a hacker finding them would gain “no practical value”. Similarly, login credentials and APIs for e-gov sites should never be hard-coded or exposed.
Strong Legal Enforcement. Data protection laws (e.g. Brazil’s LGPD, Peru’s PDPL) need teeth. Critics observe that despite LGPD’s existence, breaches kept happening. Authorities must impose real penalties and require prompt breach notifications (as mandated by law) to hold agencies accountable.
Independent Oversight. Data authorities must be fully staffed, funded and empowered to audit government platforms. Brazil’s new Data Protection Authority (ANPD) was established only in 2020 and was “still being built from scratch” when recent leaks occurred. A robust watchdog in each country – with the power to conduct unannounced security reviews – could deter careless practices.
Citizen-Centric Identity Models. Governments should consider decentralized ID solutions. Buenos Aires’ QuarkID shows one approach: blockchain-based IDs where citizens keep control of their documents. Such models avoid a single central database of raw biometrics. At minimum, any digital ID program should implement privacy-by-design (data minimization, user consent, regular data purging).
Transparency and Redress. Government platforms need clear privacy policies and public audits. Citizens should have rights to access logs of who viewed their data and to demand corrections or deletions. Civil society groups should be allowed to test and report security flaws; whistleblowers must be protected when they expose vulnerabilities.
These steps align with recommendations from global experts and NGOs. They stress that technology itself isn’t the villain but poor design and oversight are. With reforms, Latin American e-government can still deliver social benefits without sacrificing privacy.
Conclusion
Latin America’s rush to digitize public services has brought real convenience, but this investigation shows it also introduced grave privacy risks. Data breaches in Brazil, Mexico, Argentina and beyond have revealed that citizens’ medical histories, ID numbers, and personal images are not fully safe. The pattern is clear: without rigorous safeguards, government tech projects can inadvertently spy on or endanger the people they’re meant to serve.
Affected individuals and watchdogs are now demanding accountability, echoing one hard lesson: adopting a privacy law is “just an embryonic step” unless governments enforce it and embed data protection in every project. The future of digital governance in Latin America will hinge on learning this lesson – ensuring that innovation and security go hand in hand.
Citations And References
All citations in this investigation correspond to verified sources gathered during extensive research across multiple continents and databases. Full documentation available upon email to support the accuracy and verifiability of all claims made.
(GDPRRegister/CPO Magazine – Brazil Health Ministry data leak) (The Verge – Brazil SUS data exposure) (CPJ – Mexico journalists data leak) (Reuters – Mexico journalists data theft) (Buenos Aires Herald – Argentine Mi Argentina and SUBE apps hack) (TechPolicy Press – Argentina QuarkID initiative) (Americas Quarterly – Latin American surveillance trends) (CyberPress – Peru RENIEC biometric image leak) (BiometricUpdate – El Salvador national ID data breach) (Reuters – Brazil Health Ministry hack, Dec 2021) (openDemocracy – Brazil data leak analysis) (Thomson Reuters Institute – Mexico biometric CURP privacy issues).
About Our Investigative Services
Seeking to expose corruption, track illicit financial flows, or investigate complex criminal networks? Our specialized investigative journalism agency has proven expertise in following money trails, documenting human rights violations, and revealing the connections between organized crime and corporate malfeasance across the world and beyond.
Partner With Us for Impactful Change
Our investigative expertise and deep industry networks have exposed billion-dollar corruption schemes and influenced policy reform across Americas and beyond.
Whether you’re a government agency seeking independent analysis, a corporation requiring risk assessment and due diligence, or a development organization needing evidence-based research, our team delivers results that matter.
Join our exclusive network of premium subscribers for early access to groundbreaking investigations, or contribute your expertise through our paid contributor program that reaches decision-makers across the continent.
For organizations committed to transparency and reform, we also offer strategic partnership opportunities and targeted advertising placements that align with our mission.
Uncover unparalleled strategic insights by joining our paid contributor program, subscribing to one of our premium plans, advertising with us, or reaching out to discuss how our media relations and agency services can elevate your brand’s presence and impact in the marketplace.
Contact us today to explore how our investigative intelligence can advance your objectives and create lasting impact.
Read all investigative Stories on Technology.
* For full transparency, a list of all our sister news brands can be found here.
