Cyber Incident Victim: Policía Nacional Civil de El Salvador
Date:
Sep 2021
Location:
El Salvador
Summary
Hacktivists operating under the name FocaLeaks compromised El Salvador's National Police by exploiting vulnerabilities in a mobile application, exfiltrating sensitive data including records on approximately 37,000 agents, civilian information, and criminal investigations. The group claimed the breach targeted authoritarian governance structures and aimed to expose abuses without disrupting infrastructure, allegedly obtaining access to a platform containing comprehensive civil and criminal records. While the police acknowledged the incident, they did not confirm the validity of the stolen data, which was partially shared with the public in redacted form by a transparency collective.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In early September 2021, hacktivist group FocaLeaks claimed responsibility for breaching the Policía Nacional Civil de El Salvador (PNC), exfiltrating sensitive data on approximately 37,000 police agents. The group publicly announced the operation as part of a campaign targeting governments perceived as authoritarian, emphasizing their intent to expose institutional abuses without causing physical infrastructure damage. According to their claims, FocaLeaks exploited security vulnerabilities in a police mobile application to gain unauthorized access to internal systems. The compromised data allegedly included personnel records of agents and provided pathways to access the "Imperium" platform—a government system containing civil registry information on Salvadoran citizens and active criminal investigation files. Initial reports of the breach surfaced on September 9 through journalist David Bernal’s coverage in La Prensa Gráfica, with further details later verified and disseminated by transparency collective DDoSecrets. The PNC acknowledged awareness of the breach claims but did not publicly confirm the validity of the data’s authenticity or the extent of the intrusion at the time of reporting.
The incident represented a significant exposure of law enforcement and citizen data, with FocaLeaks asserting that the stolen information could enable access to comprehensive government records on civilians and ongoing criminal cases. DDoSecrets collaborated in the operation’s disclosure, sharing redacted portions of the dataset with the public while withholding sensitive personal details to prevent immediate misuse. The breach highlighted persistent vulnerabilities in government digital infrastructure, particularly through mobile applications interfacing with critical systems. While ransomware attacks against police departments had drawn recent global attention, this incident demonstrated the continued relevance of ideological hacktivism as a threat vector. The compromised agent records raised concerns about potential operational security risks for law enforcement personnel and the possibility of criminal actors exploiting investigation details. Despite the PNC’s non-committal public response, the scale of the claimed data exposure—affecting nearly the entire national police force—indicated substantial potential impacts on individual privacy, institutional credibility, and ongoing judicial processes.