Cyber Incident Victim: New Mexico Public Regulation Commission

On or around January 9, 2020, the New Mexico Public Regulation Commission (PRC) experienced a cyberattack that forced its website offline. The PRC, responsible for regulating public utilities, confirmed the breach on January 14 through statements from Chief of Staff Jason Montoya and Governor Michelle Lujan Grisham's office. Initial findings suggested potential foreign involvement, though no specific actor or entity was confirmed. The New Mexico Department of Information Technology (DoIT) immediately quarantined the affected systems upon notification and initiated an investigation alongside third-party cybersecurity firm RiskSense. The Department of Homeland Security and Emergency Management was also alerted to the incident. While the attack's exact entry point and methods remained undisclosed, officials classified it as a deliberate cyber intrusion rather than routine technical failure. The PRC website remained inaccessible for at least seven days following the initial disruption, indicating sustained operational impact.

The incident occurred amid heightened cybersecurity concerns across New Mexico state agencies. Earlier in 2020, Presbyterian Healthcare Services reported a separate breach compromising personal data of over 180,000 individuals. This followed the state's involvement in the 2017 Equifax settlement, which affected 860,000 New Mexico residents. The PRC attack prompted renewed scrutiny of statewide cyber defenses, with Attorney General Hector Balderas advocating for updated cybercrime laws and requesting $500,000 in legislative funding to establish a dedicated cybercrime and counterterrorism unit. No evidence linked the PRC breach to a concurrent, brief outage at the state Economic Development Department, which officials attributed to unrelated server maintenance. Investigations by DoIT and RiskSense continued without public confirmation of data exfiltration or specific attacker attribution as of January 16.