<p></p><p>The combined sources present a critical analysis of the October 2025 cybersecurity incident impacting Uruguay’s <strong>Plataforma GURI</strong>, the education system&#39;s central data repository for millions of citizens, including minors. Security analysts confirm this incident is part of a <strong>systemic cyber campaign</strong> targeting the Uruguayan public sector, concurrent with breaches against the state bank (BHU) and the Ceibal education program. The central governance failure identified is the <strong>official refusal by ANEP</strong> to confirm or deny claims by groups like Tacuara, who alleged the theft of <strong>nearly 3 million sensitive PII records</strong>, thereby eroding public trust and exposing families to identity fraud risks. Legally, critics argue that the confirmed security failure violates the essential <strong>Principle of Security</strong> mandated under Uruguayan law, thereby undermining ANEP’s legal justification for processing sensitive data, particularly as it pertains to the integration of student academic and <strong>Ministry of Public Health</strong> records. The GURI platform’s failure also highlighted systemic weaknesses, including a lack of <strong>Multi-Factor Authentication</strong> and poor network segmentation, which allowed threat actors to achieve unauthorized access. The sources unanimously recommend immediate mandatory disclosure and the enforcement of foundational security controls to address these deep-seated vulnerabilities.</p><p><br></p>

Cybermidnight Club– Hackers, Cyber Security and Cyber Crime

Alberto Daniel Hill

Uruguay Data Hack Compromised Three Million Records

DEC 4, 202512 MIN
Cybermidnight Club– Hackers, Cyber Security and Cyber Crime

Uruguay Data Hack Compromised Three Million Records

DEC 4, 202512 MIN

Description

<p></p><p>The combined sources present a critical analysis of the October 2025 cybersecurity incident impacting Uruguay’s <strong>Plataforma GURI</strong>, the education system&#39;s central data repository for millions of citizens, including minors. Security analysts confirm this incident is part of a <strong>systemic cyber campaign</strong> targeting the Uruguayan public sector, concurrent with breaches against the state bank (BHU) and the Ceibal education program. The central governance failure identified is the <strong>official refusal by ANEP</strong> to confirm or deny claims by groups like Tacuara, who alleged the theft of <strong>nearly 3 million sensitive PII records</strong>, thereby eroding public trust and exposing families to identity fraud risks. Legally, critics argue that the confirmed security failure violates the essential <strong>Principle of Security</strong> mandated under Uruguayan law, thereby undermining ANEP’s legal justification for processing sensitive data, particularly as it pertains to the integration of student academic and <strong>Ministry of Public Health</strong> records. The GURI platform’s failure also highlighted systemic weaknesses, including a lack of <strong>Multi-Factor Authentication</strong> and poor network segmentation, which allowed threat actors to achieve unauthorized access. The sources unanimously recommend immediate mandatory disclosure and the enforcement of foundational security controls to address these deep-seated vulnerabilities.</p><p><br></p>