# CRITICAL FINDING: Mexican Government Data Repository Exposure

## Summary
**122 Mexican government organizations** have publicly accessible directory listings at:
`https://repodatos.atdt.gob.mx/api_update/`

This represents a significant infrastructure exposure across the entire Mexican federal government.

---

## Exposed Organizations (Partial List)

### Security & Intelligence Related
- INM (Instituto Nacional de Migración) - Immigration
- SRE (Secretaría de Relaciones Exteriores) - Foreign Relations
- CEAV - Crime Victim Assistance
- CNE - Electoral bodies

### Financial & Economic
- SAT - Tax Administration Service
- NAFIN - National Development Bank
- PEMEX - National Oil Company
- CFE - Federal Electricity Commission
- Banco de México (potentially)

### Social Services
- IMSS - Social Security Institute
- ISSSTE - Government Workers Social Security
- SEP - Education
- Secretaría de Salud - Health
- CENSIDA - HIV/AIDS Agency

### Infrastructure
- Tren Maya - Major rail project
- FONATUR - Tourism development
- SCT - Communications and Transport

### Research & Education
- CONACYT/CONAHCYT - Science and Technology
- IPN - National Polytechnic Institute
- CICESE, COLPOS, CIADH, IPICYT - Research centers

### Cultural
- INAH - Anthropology and History
- INBAL - Fine Arts
- Canal 22 - Public TV

---

## Technical Details

### API Structure
- **Root:** `https://repodatos.atdt.gob.mx/api_update/`
- **Pattern:** `/api_update/[organization_code]/[dataset]/[file].csv`
- **Access:** No authentication required
- **Directory Listing:** ENABLED (critical misconfiguration)

### Last Updated
January 14, 2026 - indicating active, current data

---

## INM Specific Files Discovered

### Large Files of Interest
| File | Size | Description |
|------|------|-------------|
| `141_tramites_migratorios.csv` | **293.1 MB** | Migration procedures - potentially detailed records |
| `140_documentos_migratorios.csv` | 18.7 MB | Migration documents |
| `04_documentos_migratorios_2024-2025.csv` | 17.1 MB | Recent migration documents |

---

## Risk Assessment

### Exposure Level: HIGH
- No authentication on API endpoints
- Directory traversal enabled across entire infrastructure
- 122 government agencies affected
- Sensitive datasets accessible (immigration, health, tax?)

### Potential Impact
1. PII exposure from individual agencies
2. Infrastructure mapping for further exploitation
3. Correlation attacks across agencies
4. Source for social engineering campaigns

---

## Recommendations for Report
1. Document full scope of exposure
2. Sample data from key agencies (SAT, IMSS, SRE)
3. Identify any PII-containing datasets
4. Contact Mexican CERT for responsible disclosure

---

*Research Date: January 2026*
*Classification: CRITICAL INFRASTRUCTURE EXPOSURE*