# Mexico Government OSINT Audit ![Mexico OSINT Audit](assets/mexico.png) ![Repo Size](https://img.shields.io/badge/Size-14.6_GB-blue?style=for-the-badge&logo=github) ![File Count](https://img.shields.io/badge/Files-3,710+-green?style=for-the-badge&logo=files) --- **Classification:** PRIVATE - Authorized Security Research **Date:** January 15, 2026 **Methodology:** Crystal Vault OSINT **Status:** COMPLETE **Repository Version:** 2.0 --- ## Table of Contents 1. [Quick Start for Analysts](#quick-start-for-analysts) 2. [Executive Summary](#executive-summary) 3. [Repository Overview](#repository-overview) 4. [Folder Structure Deep Dive](#folder-structure-deep-dive) 5. [Critical Vulnerability](#critical-vulnerability) 6. [PII Exposure Details](#pii-exposure-details) 7. [Data Dictionary](#data-dictionary) 8. [How to Use This Repository](#how-to-use-this-repository) 9. [Technical Details](#technical-details) 10. [Recommendations](#recommendations) 11. [Legal Disclaimer](#legal-disclaimer) --- ## Quick Start for Analysts **For AI Agents / Claude Code:** ``` This repository contains a complete OSINT audit of Mexican government infrastructure. KEY FOLDERS: - /api/ → 313 API endpoint maps (start with 00-API-INDEX.txt) - /tech stack/ → 313 technology analyses (start with 00-TECH-STACK-INDEX.txt) - /reports/ → 16 intelligence reports (start with 00-REPORT-INDEX.md) - /research/ → 14 GB raw data from 118 agencies CRITICAL FILES TO READ FIRST: 1. /reports/00-REPORT-INDEX.md - Overview of all intel reports 2. /api/00-API-INDEX.txt - Master list of all API endpoints 3. /research/AGENCY-FINDINGS-LOG.md - Detailed findings by agency 4. /stats.txt - Quick statistics summary PRIMARY FINDING: Unauthenticated API at repodatos.atdt.gob.mx exposing 520K+ PII records ``` **For Human Analysts:** - Start with the `/reports/` folder for executive-level intelligence briefs - Check `/api/` folder for specific endpoint documentation - Raw data is in `/research/{AGENCY}/raw_data/` folders --- ## Executive Summary This repository contains findings from an Open Source Intelligence (OSINT) audit of Mexican federal government digital infrastructure. The audit discovered a **publicly accessible API endpoint** exposing data from **162 federal agencies** without authentication, including **520,000+ records containing Personally Identifiable Information (PII)**. ### Key Metrics | Category | Metric | Value | |----------|--------|-------| | **Data Source** | Primary API Endpoint | `repodatos.atdt.gob.mx/api_update/` | | **Data Source** | Authentication Required | NONE | | **Data Source** | Directory Listing | ENABLED | | **Coverage** | Agencies Exposed | 162 federal organizations | | **Coverage** | Agencies Downloaded | 118 | | **Coverage** | Total CSV Files | 1,675 | | **Coverage** | Total Data Size | 14 GB | | **PII Exposure** | Critical PII Records | 520,000+ | | **PII Exposure** | Taxpayer Records (SAT) | 464,153 | | **PII Exposure** | Sanctioned Officials (SFP) | 809 | | **PII Exposure** | Notary Addresses (INDAABIN) | 1,396 | | **PII Exposure** | Crime Victims (CEAV) | ~50,000+ | | **Documentation** | API Endpoint Maps | 313 files | | **Documentation** | Tech Stack Analyses | 313 files | | **Documentation** | Intelligence Reports | 16 files | | **Financial Data** | COMPRANET Contracts | 2,851,250 records | | **Financial Data** | Total Contract Value | ~$130 Billion USD | --- ## Repository Overview ### What This Repository Contains | Folder | Files | Size | Description | |--------|-------|------|-------------| | `/api/` | 313 | ~2 MB | API endpoint documentation for every organization | | `/tech stack/` | 313 | ~2 MB | Technology fingerprinting for every website probed | | `/reports/` | 16 | ~500 KB | Intelligence-style reports on critical findings | | `/research/` | 1,675+ | 14 GB | Raw downloaded CSV data from government APIs | | `/assets/` | 1 | ~2.5 MB | Images and media files | ### File Naming Conventions ``` API Files: {AGENCY}.txt or {AGENCY} (Description).txt Tech Stack Files: {AGENCY}.txt or {domain.name}.txt Report Files: {AGENCY}-{NUMBER}-{TITLE}.md Raw Data: {agency_prefix}_{number}_{description}.csv ``` --- ## Folder Structure Deep Dive ### `/api/` - API Endpoint Documentation (313 files) Contains detailed API endpoint maps for each organization showing: - Full URL paths to data endpoints - Available files and their sizes - Access status (OPEN/CLOSED) - Authentication requirements **Key Files:** | File | Description | |------|-------------| | `00-API-INDEX.txt` | Master index of all 313 endpoints | | `SAT (Tax Authority).txt` | Tax authority API - 8 endpoints, 69 MB data | | `COMPRANET (Procurement).txt` | Procurement API - 908 MB contracts database | | `INM (Immigration).txt` | Immigration API - 22 endpoints, 317 MB | **Sample API File Structure:** ``` ================================================================================ API ENDPOINT MAP: SAT (Tax Authority) ================================================================================ BASE URL: https://repodatos.atdt.gob.mx/api_update/ AGENCY PATH: /api_update/SAT/ FULL ENDPOINT: https://repodatos.atdt.gob.mx/api_update/SAT/ ACCESS STATUS: OPEN (No Authentication Required) DIRECTORY LISTING: ENABLED ================================================================================ AVAILABLE FILES ================================================================================ FILE: SAT_1_Donatarias_Aut.csv Route: /api_update/SAT/SAT_1_Donatarias_Aut.csv Size: 27M Status: OPEN [...] ``` --- ### `/tech stack/` - Technology Stack Analysis (313 files) Contains technical fingerprinting of each website/endpoint: - HTTP headers and server information - CDN provider identification - SSL certificate details - Security header analysis - Infrastructure assessment **Key Files:** | File | Description | |------|-------------| | `00-TECH-STACK-INDEX.txt` | Master index with CDN/server summary | | `repodatos.atdt.gob.mx.txt` | Main data API - Akamai CDN, Let's Encrypt SSL | | `gob.mx.txt` | Main portal - Kubernetes + WildFly (Java) | | `datos.gob.mx.txt` | Open data portal - nginx + CKAN (Python) | **Technology Summary:** | Domain | CDN | Server | Framework | |--------|-----|--------|-----------| | repodatos.atdt.gob.mx | Akamai | Unknown | REST API | | gob.mx | Akamai | WildFly | Java EE | | datos.gob.mx | Akamai | nginx | CKAN (Python) | | sat.gob.mx | AWS CloudFront | Unknown | Unknown | --- ### `/reports/` - Intelligence Reports (16 files) Formatted intelligence briefs suitable for analyst consumption: | Report ID | Subject | Risk Level | |-----------|---------|------------| | MEX-SAT-001 | Tax Authority - 464K Taxpayer Records | CRITICAL | | MEX-SFP-002 | Public Function - 809 Sanctioned Officials | HIGH | | MEX-INDAABIN-003 | Federal Assets - 1,396 Notary Addresses | HIGH | | MEX-CEAV-004 | Crime Victims - REFEVI Registry | HIGH | | MEX-COMPRANET-005 | Procurement - $130B Contracts | MEDIUM | | MEX-INM-006 | Immigration - 1.98M Records | LOW | | MEX-SRE-007 | Foreign Relations - Consular Stats | LOW | | MEX-PEMEX-008 | National Oil Company | LOW | | MEX-HACIENDA-009 | Finance Ministry - Fiscal Data | LOW | | MEX-PROFECO-010 | Consumer Protection - 4.9 GB | MEDIUM | | MEX-INFRA-011 | API Infrastructure Vulnerability | CRITICAL | | MEX-ISSSTE-012 | Public Worker Social Security | MEDIUM | | MEX-ISSFAM-013 | Military Social Security | LOW | | MEX-SEP-014 | Education Ministry | MEDIUM | | MEX-CONAHCYT-015 | Science Council | MEDIUM | | MEX-SADER-016 | Agriculture Ministry | MEDIUM | **Report Format:** ``` # INTELLIGENCE REPORT **REPORT ID:** MEX-SAT-001 **CLASSIFICATION:** UNCLASSIFIED // FOR OFFICIAL USE ONLY **DATE:** 2026-01-15 **SUBJECT:** Mexican Tax Authority (SAT) - Mass PII Exposure ## EXECUTIVE SUMMARY [1-2 paragraph overview] ## KEY INTELLIGENCE [Metrics table] ## DETAILED FINDINGS [Data breakdown] ## SAMPLE INTELLIGENCE [Redacted examples] ## RECOMMENDATIONS [Action items] ``` --- ### `/research/` - Raw Downloaded Data (14 GB) Contains actual CSV files downloaded from government APIs: **Folder Structure:** ``` /research/ ├── AGENCY-FINDINGS-LOG.md # Detailed findings document ├── MEXICO-OSINT-SUMMARY.md # Executive summary ├── all_agencies.txt # List of 162 agencies │ ├── SAT (Tax Authority)/ │ └── raw_data/ │ ├── SAT_1_Donatarias_Aut.csv (27 MB) - Charities with PII │ ├── SAT_2_Entespublicos.csv (1.8 MB) │ ├── SAT_3_Sentencias.csv (45 KB) - Tax convictions │ ├── SAT_4_Nolocalizados.csv (4.3 MB) - Non-located taxpayers │ ├── SAT_5_Firmes.csv (18 MB) - Final tax debts │ ├── SAT_6_Exigibles.csv (475 KB) │ ├── SAT_7_Cancelados.csv (19 MB) - Cancelled status │ └── SAT_8_FORMATO_37.csv (17 KB) │ ├── SFP (Public Function)/ │ └── raw_data/ │ ├── servidores_publicos_sancionados_*.csv (173 KB) │ ├── SIDEC_historico_2012_2018.csv (8.5 MB) │ └── SIDEC_historico_2018_2023.csv (110 MB) │ ├── COMPRANET (Procurement)/ │ └── raw_data/ │ └── compranet_historico.csv (908 MB) - 2.8M contracts │ ├── INM (Immigration)/ │ └── raw_data/ │ ├── 141_tramites_migratorios.csv (280 MB) - 1.98M rows │ └── [21 additional files] │ └── [114 additional agency folders...] ``` **Largest Data Files:** | File | Size | Records | Agency | |------|------|---------|--------| | compranet_historico.csv | 908 MB | 2,851,250 | COMPRANET | | 141_tramites_migratorios.csv | 280 MB | 1,980,000 | INM | | SIDEC_historico_2018_2023.csv | 110 MB | Multiple | SFP | | Various PROFECO files | 4.9 GB | Multiple | PROFECO | --- ## Critical Vulnerability ### Unauthenticated API Endpoint ``` ┌─────────────────────────────────────────────────────────────┐ │ CRITICAL SECURITY FINDING │ ├─────────────────────────────────────────────────────────────┤ │ URL: https://repodatos.atdt.gob.mx/api_update/ │ │ Access: NO AUTHENTICATION REQUIRED │ │ Directory: LISTING ENABLED │ │ Agencies: 162 federal organizations │ │ Status: ACTIVELY MAINTAINED (January 2026) │ │ PII: 520,000+ records exposed │ └─────────────────────────────────────────────────────────────┘ ``` **Access Method:** ```bash # List all agencies (no auth needed) curl -s https://repodatos.atdt.gob.mx/api_update/ # List files for specific agency curl -s https://repodatos.atdt.gob.mx/api_update/SAT/ # Download data file curl -O https://repodatos.atdt.gob.mx/api_update/SAT/SAT_5_Firmes.csv ``` **Security Failures:** - No authentication mechanism - No rate limiting - Directory listing enabled - No access logging (apparent) - PII data not redacted - No data classification enforcement --- ## PII Exposure Details ### Critical: 520,000+ Records Exposed | Source | Category | Records | Data Fields | Risk | |--------|----------|---------|-------------|------| | SAT | Individuals | 337,847 | RFC + Full Names | CRITICAL | | SAT | Companies | 126,306 | RFC + Company Names | CRITICAL | | SAT | Charities | 10,798 | RFC + Name + Phone + Email + Address | CRITICAL | | SFP | Officials | 809 | Full Names + Agency + Sanctions | HIGH | | INDAABIN | Notaries | 1,396 | Full Names + Complete Addresses | HIGH | | CEAV | Victims | ~50,000+ | Federal Victims Registry | HIGH | ### Sample Exposed Data **SAT Taxpayer Records (SAT_5_Firmes.csv):** ``` RFC NOMBRE_CONTRIBUYENTE AAGL5405077Y7 JOSE LUIS ANDRADE GARCIA AAQC721208UCA CESAR AUGUSTO ALCARAZ QUIHUIS AURA650108EL7 AURELIA AGUIRRE RUIZ BACJ4004042D0 JORGE BARRERA CARRILLO ``` **SFP Sanctioned Officials:** ``` EXPEDIENTE NOMBRE INSTITUCION SANCION 000065/2018 EMILIO RICARDO LOZOYA AUSTIN PEMEX (CEO) Inhabilitacion 000001/2018 EDGAR TORRES GARRIDO Pemex Fertilizantes Inhabilitacion ``` **INDAABIN Notary Records:** ``` ID NOMBRE NOTARIA DIRECCION NOTPIF-1 Arturo G. Orenday González 18 Adolfo Lopez Mateos 1001, Aguascalientes NOTPIF-6 María Cristina Ochoa Amador 5 Madero 442, planta baja, Centro ``` --- ## Data Dictionary ### Common Field Names (Spanish → English) | Spanish | English | Description | |---------|---------|-------------| | RFC | Tax ID | Registro Federal de Contribuyentes (13 chars) | | CURP | National ID | Clave Unica de Registro de Poblacion (18 chars) | | NOMBRE | Name | Full name or first name | | APELLIDO_PATERNO | Paternal Surname | Father's last name | | APELLIDO_MATERNO | Maternal Surname | Mother's last name | | RAZON_SOCIAL | Company Name | Legal business name | | DOMICILIO | Address | Full address | | CALLE | Street | Street name | | NUMERO | Number | Street number | | COLONIA | Neighborhood | Colony/neighborhood | | CODIGO_POSTAL | Postal Code | ZIP code (5 digits) | | ENTIDAD | State | Federal entity/state | | MUNICIPIO | Municipality | City/municipality | | TELEFONO | Phone | Phone number | | CORREO | Email | Email address | | FECHA | Date | Various date fields | | MONTO | Amount | Monetary amount | | ESTATUS | Status | Record status | ### Agency Abbreviations | Abbreviation | Full Name | English | |--------------|-----------|---------| | SAT | Servicio de Administración Tributaria | Tax Administration Service | | SFP | Secretaría de la Función Pública | Ministry of Public Function | | INM | Instituto Nacional de Migración | National Immigration Institute | | SRE | Secretaría de Relaciones Exteriores | Ministry of Foreign Relations | | PEMEX | Petróleos Mexicanos | Mexican Petroleum | | CFE | Comisión Federal de Electricidad | Federal Electricity Commission | | IMSS | Instituto Mexicano del Seguro Social | Mexican Social Security Institute | | ISSSTE | Instituto de Seguridad y Servicios Sociales | Public Workers Social Security | | SEP | Secretaría de Educación Pública | Ministry of Public Education | | SHCP/HACIENDA | Secretaría de Hacienda y Crédito Público | Ministry of Finance | --- ## How to Use This Repository ### For Security Analysts 1. **Start with Reports:** Read `/reports/00-REPORT-INDEX.md` for prioritized findings 2. **Check API Endpoints:** Use `/api/` files to understand data exposure scope 3. **Verify Tech Stack:** Use `/tech stack/` for infrastructure assessment 4. **Analyze Raw Data:** Access `/research/{AGENCY}/raw_data/` for actual files ### For AI Agents (Claude Code, etc.) ```python # Recommended reading order: files_to_read = [ "reports/00-REPORT-INDEX.md", # Overview of findings "api/00-API-INDEX.txt", # All API endpoints "stats.txt", # Quick statistics "research/AGENCY-FINDINGS-LOG.md", # Detailed findings ] # To find specific agency data: # 1. Check /api/{AGENCY}.txt for endpoint info # 2. Check /tech stack/{AGENCY}.txt for infrastructure # 3. Check /reports/{AGENCY}-*.md for intelligence report # 4. Check /research/{AGENCY}/raw_data/ for actual CSV files # Critical PII files: critical_files = [ "research/SAT (Tax Authority)/raw_data/SAT_5_Firmes.csv", "research/SFP (Public Function)/raw_data/servidores_publicos_sancionados_*.csv", "research/INDAABIN (Federal Assets)/raw_data/padron_notarios_*.csv", ] ``` ### For Data Analysis ```bash # Count records in a CSV wc -l research/SAT\ \(Tax\ Authority\)/raw_data/SAT_5_Firmes.csv # Search for specific data grep -r "LOZOYA" research/ # List all CSV files find research/ -name "*.csv" -type f # Calculate total data size du -sh research/ ``` --- ## Technical Details ### Infrastructure Discovered | Component | Technology | Evidence | |-----------|------------|----------| | CDN | Akamai | Server-Timing: ak_p header | | CDN | AWS CloudFront | X-Amz-Cf-* headers (SAT) | | SSL | Let's Encrypt | Certificate on repodatos | | SSL | DigiCert | Certificate on gob.mx | | App Server | WildFly | JSESSIONID cookie pattern | | Platform | CKAN | ckan= session cookie | | Orchestration | Kubernetes | INGRESS_STICKY cookie | ### Data Collection Methodology 1. **Discovery:** Identified open directory at repodatos.atdt.gob.mx 2. **Enumeration:** Listed all 162 agencies via directory listing 3. **Download:** Used curl to download all available CSV files 4. **Analysis:** Examined files for PII content 5. **Documentation:** Created endpoint maps and tech stack analyses 6. **Reporting:** Generated intelligence reports for critical findings --- ## Recommendations ### For Mexican Government (CERT-MX) | Priority | Action | Timeline | |----------|--------|----------| | CRITICAL | Implement API authentication | Immediate | | CRITICAL | Disable directory listing | Immediate | | CRITICAL | Review SAT PII exposure | 24-48 hours | | HIGH | Add rate limiting | 1 week | | HIGH | Audit all datasets for PII | 2 weeks | | MEDIUM | Implement access logging | 1 month | | MEDIUM | Data anonymization review | 1 month | ### For Responsible Disclosure 1. Report to CERT-MX (cert-mx@cert.org.mx) 2. Notify INAI (National Transparency Institute) 3. Document timeline and communications 4. Allow 90 days for remediation before public disclosure --- ## Legal Disclaimer This audit was conducted using Open Source Intelligence (OSINT) methodology. All data was obtained from publicly accessible sources without bypassing any security controls, as **no authentication was required**. **Important:** - Data obtained for security research purposes only - No exploitation or malicious use intended - Findings should be reported to appropriate authorities - Raw data should not be redistributed publicly --- ## Metadata ```yaml repository: name: Mexico Government OSINT Audit version: 2.0 date: 2026-01-15 status: COMPLETE methodology: Crystal Vault OSINT statistics: agencies_exposed: 162 agencies_downloaded: 118 csv_files: 1675 data_size_gb: 14 pii_records: 520000+ api_maps: 313 tech_stacks: 313 intel_reports: 16 primary_finding: type: Unauthenticated API url: https://repodatos.atdt.gob.mx/api_update/ severity: CRITICAL folders: - path: /api/ files: 313 description: API endpoint documentation - path: /tech stack/ files: 313 description: Technology fingerprinting - path: /reports/ files: 16 description: Intelligence reports - path: /research/ files: 1675+ description: Raw CSV data (14 GB) - path: /assets/ files: 1 description: Images and media ``` --- *Audit conducted under Crystal Vault OSINT methodology* *January 15, 2026*