Cyber Incident Victim: Caja Popular Mexicana
Date:
Oct 2023
Location:
Mexico
Summary
A ransomware attack attributed to the BlackCat group targeted a Mexican financial cooperative, disrupting branch operations and online services for over 3 million members. The incident involved data encryption for ransom rather than direct financial theft, with no reported monetary losses to customers. Service interruptions persisted for credit products and new account access during recovery efforts, though core functions were partially restored. Regulatory authorities collaborated on containment and forensic analysis, while cybersecurity experts suggested potential gaps in the institution's security maturity contributed to the attack's severity. The total financial impact on the organization remained undisclosed.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On or around October 6, 2023, Caja Popular Mexicana (CPM), a financial institution serving over 3.37 million members, experienced a ransomware attack attributed to the BlackCat group. The attack caused widespread service disruptions, including intermittent access to online platforms and the temporary closure of physical branches. Banco de México (Banxico) confirmed the incident involved data hijacking rather than monetary theft, with no financial losses reported for members. Operational systems were compromised, affecting credit services such as automotive loans, mortgages, immediate credit, and Credinámico. Members faced login difficulties on new mobile devices, and new member onboarding was disrupted. The attack’s scale suggested extensive system compromise, potentially reaching operating system levels, with cybersecurity expert Hiram Camarillo noting possible deficiencies in CPM’s security maturity or inadequate protective measures.
The Comisión Nacional Bancaria y de Valores (CNBV) initiated containment measures to minimize impacts while coordinating restoration efforts. CPM collaborated with authorities to recover hijacked data and planned post-recovery audits to assess the attack’s full scope. Service restoration progressed unevenly, with lingering credit service interruptions and login issues persisting beyond initial recovery phases. CPM’s Twitter account announced an expected normalization of credit services by September 7, though this date preceded the incident timeline, indicating potential reporting discrepancies. The attack marked the fourth recorded cybersecurity incident affecting Mexican financial institutions in 2023, following three prior bank breaches and two 2022 incidents involving a bank, a brokerage house, and a credit bureau. CNBV oversight processes faced scrutiny, as CPM needed to demonstrate enhanced security investments to prevent recurrence.