# Mexico Government OSINT Audit - Complete Findings **Date:** January 2026 **Target:** Mexican Government Digital Infrastructure **Status:** Data Collection Complete **Methodology:** Crystal Vault OSINT Framework --- ## Executive Summary An OSINT audit of Mexican government digital infrastructure revealed a **massive open data repository** exposing datasets from **122 federal agencies** without authentication. The audit confirmed **464,000+ taxpayer records** with personally identifiable information (PII) publicly accessible, including names, tax IDs (RFC), phone numbers, email addresses, and physical addresses. ### Key Metrics | Category | Count | |----------|-------| | **Individual PII Records** | 337,847 | | **Company Records** | 126,306 | | **Charity Orgs (Full Contact Info)** | 10,798 | | **Government Contracts** | 2,851,250 | | **Total Contract Value** | $130 Billion USD | | **Files Downloaded** | 105 | | **Total Data Size** | ~1.8 GB | --- ## Critical Finding: Open Data Repository ### Infrastructure Details | Property | Value | |----------|-------| | **URL** | `https://repodatos.atdt.gob.mx/api_update/` | | **Authentication** | NONE REQUIRED | | **Directory Listing** | ENABLED | | **Agencies Exposed** | 122 federal organizations | | **Last Updated** | January 14, 2026 (actively maintained) | ### API Pattern ``` https://repodatos.atdt.gob.mx/api_update/[agency]/[dataset]/[file].csv ``` ### Exposed Agencies Include: - **SAT** - Tax Administration (Servicio de Administracion Tributaria) - **INM** - Immigration (Instituto Nacional de Migracion) - **SRE** - Foreign Relations (Secretaria de Relaciones Exteriores) - **SEP** - Education (Secretaria de Educacion Publica) - **IMSS** - Social Security (Instituto Mexicano del Seguro Social) - **PEMEX** - National Oil Company - **CFE** - Federal Electricity Commission - **Tren Maya** - Major Rail Infrastructure Project - Plus 114 additional agencies... --- ## SAT (Tax Authority) - CRITICAL PII EXPOSURE ### Files Downloaded (8 files, 69 MB) | File | Size | Records | PII Level | |------|------|---------|-----------| | SAT_1_Donatarias_Aut.csv | 27 MB | 16,693 | **CRITICAL** | | SAT_2_Entespublicos.csv | 1.8 MB | 16,152 | Medium | | SAT_3_Sentencias.csv | 45 KB | 553 | **HIGH** | | SAT_4_Nolocalizados.csv | 4.3 MB | 53,356 | **HIGH** | | SAT_5_Firmes.csv | 18 MB | 238,536 | **HIGH** | | SAT_6_Exigibles.csv | 475 KB | 6,024 | Medium | | SAT_7_Cancelados.csv | 19 MB | 171,713 | **HIGH** | | SAT_8_FORMATO_37.csv | 17 KB | 60 | Low | ### Individual vs Company Breakdown | File | Individuals (F) | Companies (M) | |------|-----------------|---------------| | SAT_3_Sentencias | 311 | 240 | | SAT_4_Nolocalizados | 39,453 | 13,902 | | SAT_5_Firmes | 177,807 | 60,728 | | SAT_7_Cancelados | 120,276 | 51,436 | | **TOTAL** | **337,847** | **126,306** | ### PII Fields Exposed **SAT_1_Donatarias (Charity Registry) - MOST SEVERE:** - RFC (Tax ID) - Organization Name - **Full Physical Address** - **Legal Representative Full Name** - **Phone Number** - **Email Address** - Authorization Documents **SAT_3/4/5/7 (Tax Offender Lists):** - RFC (Tax ID) - Full Name (Individual or Company) - Person Type (F=Individual, M=Company) - Category (sentencias, no localizados, firmes, etc.) - First Publication Date - State/Entity ### Sample PII Exposed **Individual Tax Debtors (SAT_5_Firmes):** ``` RFC: AAGL5405077Y7 | JOSE LUIS ANDRADE GARCIA RFC: AAQC721208UCA | CESAR AUGUSTO ALCARAZ QUIHUIS RFC: AURA650108EL7 | AURELIA AGUIRRE RUIZ RFC: BACJ4004042D0 | JORGE BARRERA CARRILLO RFC: BAPB740405TX1 | BENJAMIN BARRETO PEREZ ``` **Charity Representative (SAT_1_Donatarias):** ``` RFC: AAC101117RP1 Organization: Aacafiq A.C. Legal Rep: FRANCIS DEYANIRA NERI NAJERA Phone: 2273508 Email: aacafiq@hotmail.com Address: Gomez Morin, Sn, Col. La Estacion, C.P. 20259, Aguascalientes ``` --- ## INM (Immigration) - LOW PII RISK ### Files Downloaded (22 files, 317 MB) | File | Size | Description | |------|------|-------------| | 141_tramites_migratorios.csv | 280 MB | Migration procedures (1.98M rows) | | 140_documentos_migratorios.csv | 18 MB | Migration documents | | 07_victimas_delitos.csv | 206 KB | Foreign crime victims | | 534_menores_viajan.csv | 9.9 KB | Minors traveling | | Plus 18 additional files | ~18 MB | Various statistics | ### Data Assessment **141_tramites_migratorios.csv Analysis:** - **1,987,009 rows** of migration procedure data - Fields: Period, Nationality, Procedure, Resolution, Age Range, Sex, State, Date, Count - **NO INDIVIDUAL PII** - aggregated statistics only - Age in ranges (18-24, 25-34, etc.), not exact ages - "Numero" field is COUNT of people, not identifier **Conclusion:** INM data is aggregated statistics for open government transparency. No individual names, passport numbers, or identifiers exposed. --- ## SRE (Foreign Relations) - LOW PII RISK ### Files Downloaded (64 files, 1.4 MB) Categories include: - Passport production statistics - Visa production statistics - Child restitution case counts (by country) - Deceased Mexican nationals abroad (by state/age group) - Consular protection cases - Naturalization certificates issued - International adoption statistics - Repatriation numbers ### Data Assessment All examined SRE files contain **aggregated statistics only**: - Monthly/yearly production numbers - Case counts by country or state - No individual passport/visa numbers - No personal names or case details **Conclusion:** SRE data is statistical reporting for transparency. No individual PII exposed. --- ## COMPRANET (Government Procurement) ### File Downloaded (1 file, 908 MB) | Metric | Value | |--------|-------| | File | compranet_historico.csv | | Records | 2,851,250 contracts | | Unique Vendors | 327,194 | | Total Value | 2,342,397,405,747.25 MXN | | USD Equivalent | ~$130 Billion | ### Top Vendors by Contract Count 1. Summa Company - 16,271 contracts 2. Farmaceuticos Maypo - 13,944 contracts 3. Marcas Nestle - 10,983 contracts 4. Procter & Gamble Mexico - 8,689 contracts 5. PepsiCo Mexico - 7,398 contracts ### Fields - Contract code - Vendor name (company) - Contract title/description - Contract type - Amount (MXN) - Start/end dates **PII Level:** LOW - primarily company names, not individual data --- ## HACIENDA (Finance Ministry) ### Files Downloaded (10 files, ~480 MB) | File | Size | Description | |------|------|-------------| | ingreso_gasto_finan_hist.csv | 153 MB | Historical income/expenditure | | ingreso_gasto_finan.csv | 118 MB | Current income/expenditure | | transferencias_entidades_fed.csv | 78 MB | Federal entity transfers | | transferencias_entidades_fed_hist.csv | 65 MB | Historical transfers | | deuda_publica.csv | 20 MB | Public debt | | deuda_publica_hist.csv | 17 MB | Historical debt | | rfsp.csv | 12 MB | Public sector financial requirements | | Plus 3 methodology files | ~2 MB | RFSP methodology data | **PII Level:** NONE - fiscal/budgetary statistics only --- ## Risk Assessment | Level | Finding | Impact | |-------|---------|--------| | **CRITICAL** | SAT charity data with full contact info | 10,798 organizations with phone/email/address | | **HIGH** | SAT tax offender lists with names + RFC | 337,847 individuals exposed | | **MEDIUM** | Directory listing across 122 agencies | Attack surface enumeration | | **LOW** | INM/SRE aggregated statistics | Open government data | --- ## Recommendations ### Immediate Actions 1. **SAT Data:** Report PII exposure to Mexican CERT (CERT-MX) 2. **API Access:** Recommend implementing authentication 3. **Directory Listing:** Should be disabled at infrastructure level ### For Further Investigation 1. Download and analyze remaining 117 agency datasets 2. Check for API endpoints beyond CSV files 3. Cross-reference SAT RFC numbers with other databases 4. Examine IMSS (Social Security) if accessible --- ## Data Integrity All files downloaded directly from source APIs: - Source: `repodatos.atdt.gob.mx` - Method: Direct HTTP download (curl) - Verification: File sizes match server listings - Timestamps: January 15, 2026 --- ## File Structure ``` C:\Users\Squir\Desktop\Mexico\ ├── stats.txt ├── research/ │ ├── MEXICO-OSINT-SUMMARY.md (this file) │ ├── targets.md │ ├── SAT (Tax Authority)/ │ │ └── raw_data/ (8 files, 69 MB) │ ├── INM (Immigration)/ │ │ ├── raw_data/ (22 files, 317 MB) │ │ └── findings.md │ ├── SRE (Foreign Relations)/ │ │ └── raw_data/ (64 files, 1.4 MB) │ ├── COMPRANET (Procurement)/ │ │ └── compranet_historico.csv (908 MB) │ ├── HACIENDA (Finance Ministry)/ │ │ └── raw_data/ (10 files, ~480 MB) │ └── datos-gob-mx/ │ └── CRITICAL-api-exposure.md ├── data/ └── reports/ ``` --- *Research conducted under Crystal Vault methodology for government accountability* *OSINT - Open Source Intelligence - No unauthorized access*