# DUMP REPORT: repodatos.atdt.gob.mx **Date:** 2026-02-25 (updated after full mirror) **Type:** Unauthenticated Federal Open Data API **Status:** WIDE OPEN — No Authentication Required **Severity:** CRITICAL **Dump Status:** COMPLETE — 64 GB full mirror on disk --- ## Target Overview | Field | Value | |-------|-------| | Domain | `repodatos.atdt.gob.mx` | | Full Name | Repositorio de Datos Abiertos — ATDT (Agencia de Transformacion Digital y Telecomunicaciones) | | IP | Resolves behind nginx | | Server | nginx (JSON directory listings enabled) | | Protocol | HTTPS (also HTTP) | | Authentication | NONE | | Enumerated Size | **50.12 GB** (all_data + top-level agencies) | | Full Mirror Size | **64 GB** (includes s_* mirrors, CONAPO, CONEVAL) | | Total Files | **1,084+** (in /all_data + top-level agencies + s_* mirrors) | | Total Directories | **302+** | | Agencies in all_data | **38** | | Agencies in api_update | **177** | | Estimated Total Records | **186,000,000+** | | Last Activity | 2026-02-24 (api_update directories actively maintained) | | Mirror Status | **COMPLETE** — 28 top-level dirs, 38 all_data agencies, 11 s_* dirs | | Mirror Date | 2026-02-25 03:00-05:37 EST | --- ## Vulnerability Description The entire federal open data repository at `repodatos.atdt.gob.mx` exposes JSON-formatted directory listings with zero authentication. Any visitor can: - Browse all directories recursively - Download any file (CSV, ZIP, shapefiles) - Access data from 177 federal agencies - Obtain birth records, death records, migration data, crime statistics, procurement records, and more No `.git/` or `.env` files were found — the vulnerability IS the open directory listing itself with sensitive government datasets containing PII. --- ## Data Categories & PII Assessment ### CRITICAL PII — Birth Records (SINAC) - **Path:** `/all_data/secretaria_salud/77c166cc-bcbf-4b28-806e-f2a60c3de821/` - **Files:** 16 (2008-2023) - **Size:** 12.3 GB - **Est. Records:** ~60,000,000 - **Fields:** CEDOCVE, ENT_NACM, MPO_NACM, FECH_NACM, EDADM, CON_INDM, HABLA_INDM, CUAL_LENGM, EDOCIVIL, SEXOH, GESTACH, TALLAH, PESOH, CLUES, INST_NAC, ENT_NAC, MPO_NAC, LOC_NAC, CERT_POR, FECH_CERT, FECH_ALTA, IDCAPTURA... - **PII Level:** HIGH — Birth dates, mother's age, indigenous status, language, marital status, education level, occupation, municipality-level location, institution, baby sex/weight/height, APGAR scores ### CRITICAL PII — Death Records (Defunciones) - **Path:** `/all_data/secretaria_salud/6fecbbb3-afd9-44a1-8665-679a80ce4a15/` - **Files:** 26 (1998-2023) - **Size:** 6.1 GB - **Est. Records:** ~25,000,000 - **Fields:** ENT_REGIS, MUN_REGIS, LOC_REGIS, ENT_RESID, MUN_RESID, CAUSA_DEF, SEXO, ENT_NAC, AFROMEX, CONINDIG, LENGUA, CVE_LENGUA, NACIONALID, EDAD, OCUPACION, ESCOLARIDA, EDO_CIVIL, TIPO_DEFUN, LUGAR_OCUR, CIRUGIA, NECROPSIA, EMBARAZO... - **PII Level:** HIGH — Cause of death, nationality, indigenous/Afro-Mexican status, language, age, occupation, education, marital status, municipality-level location, pregnancy status, violence indicators ### CRITICAL PII — Education Centers (CURP/RFC/Names) - **Path:** `/all_data/secretaria_educacion/2a1d047c-546b-4293-971a-c835689a37a5/` - **Files:** 68 (by state) - **Size:** 1.7 GB - **Est. Records:** ~6,000,000 - **Fields:** cv_cct, c_nombre, contacto_c_curp, contacto_c_rfc, contacto_c_nombre, contacto_c_apellido1, contacto_c_apellido2, contacto_c_email, contacto_c_telefono, contacto_c_celular, latitud, longitud... - **PII Level:** CRITICAL — Contains CURP (national ID), RFC (tax ID), full names, email, phone, cell phone, GPS coordinates ### HIGH — Migration Records (INM) - **Path:** `/INM/regulacion_migratoria/` - **Files:** 2 - **Size:** 257 MB - **Est. Records:** ~1,300,000 - **Tramites_Migratorios.csv fields:** Semestre, Nacionalidad, Tramite, Tipo_de_resolucion, Edad, Sexo, Entidad, Fecha, Numero - **Documentos_Migratorios.csv fields:** Semestre, Entidad_expedicion_documento, Nacionalidad, Edad, Sexo, Documento, Fecha, Numero ### HIGH — Irregular Migration Events - **Path:** `/all_data/secretaria_gobernacion/eventos_migratoria_irregular_2023/` - **Files:** 1 - **Size:** 175 MB - **Est. Records:** ~700,000 - **Fields:** ID_REG, CONT (continent), NAC (nationality), SEX, EDAD, G_EDAD, COND_VIAJ, PAM, ENT_D, MUND, ENT_R, RES (resolution), F_PoC, F_R, fecha_inicio, fecha_resolucion - **PII Level:** HIGH — Individual irregular migration events with nationality, sex, age, location, resolution status ### HIGH — CENSIDA HIV/AIDS Treatment - **Path:** `/CENSIDA/activas_con_tratamiento/` - **Files:** 2 - **Size:** 22 MB - **Est. Records:** ~100,000 - **Fields:** clave_medicamento, establecimiento_salud, unidad_almacen, corte, nombre_medicamento, unidad_medida, consumo_arv_mensual, numero_pacientes, fecha - **PII Level:** MEDIUM-HIGH — Antiretroviral treatment data by facility (aggregated, not individual) ### HIGH — Crime Incidence (SESNSP) - **Path:** `/SESNSP/incidencia_delictiva/` - **Files:** 2 - **Size:** 424 MB - **Est. Records:** ~2,000,000 - **IDM_NM_ene25.csv fields:** Ano, Clave_Ent, Entidad, Cve. Municipio, Municipio, Bien juridico afectado, Tipo de delito, Subtipo de delito, Modalidad, Enero-Diciembre - **PII Level:** MEDIUM — Municipal-level crime statistics (aggregated) ### MEDIUM — Government Procurement (Compranet) - **Path:** `/compranet_historico.csv` (root level) - **Size:** 907.5 MB - **Est. Records:** ~4,500,000 - **Fields:** codigo_contrato, codigo_expediente, proveedor, titulo_contrato, descripcion_contrato, contract_type, tipo_contratacion, importe, moneda, fecha_inicio, fecha_fin - **PII Level:** MEDIUM — Vendor names, contract details, amounts, dates ### MEDIUM — IMSS CNDH Human Rights Complaints - **Path:** `/IMSS/recomendaciones_cndh/` - **Files:** 1 - **Size:** 1 MB - **Fields:** Ejercicio, Num_recomendacion, Hecho_violatorio, Tipo_recomendacion, Estatus_recomendacion, Acciones_realizadas, Servidor_publico_comparecio... - **PII Level:** MEDIUM — References victim identifiers (V1, V2) and public servants ### MEDIUM — CRE Gas Prices - **Path:** `/CRE/precios_gas_lp/` - **Files:** 3 - **Size:** 1.3 GB - **Est. Records:** ~85,000,000 - **PII Level:** LOW — Price data by gas station ### MEDIUM — Forest Fires (CONAFOR) - **Path:** `/CONAFOR/incendios_forestales/` - **Files:** 9 - **Size:** 187 MB - **PII Level:** LOW — Geospatial fire incident data --- ## Top-Level Directory Structure ``` repodatos.atdt.gob.mx/ ├── CENSIDA/ (HIV/AIDS data) ├── CONAFOR/ (Forest commission) ├── CONAPO/ (Population council) ├── CONEVAL/ (Social policy evaluation) ├── CRE/ (Energy regulatory commission) ├── IMSS/ (Social security institute) ├── INM/ (National migration institute) ├── SESNSP/ (Public security system) ├── CONAPO/ (Population council — projections, marginalization) [202 MB] ├── CONEVAL/ (Social policy — poverty, social lag) [48 MB] ├── all_data/ (1,021+ files across 38 agencies) [24 GB] │ ├── censida/ │ ├── conafor/ │ ├── conagua/ │ ├── conapo/ │ ├── coneval/ │ ├── cre/ │ ├── imer/ │ ├── imss/ │ ├── inafed/ │ ├── inali/ │ ├── inecc/ │ ├── inm/ │ ├── issste/ │ ├── profedet/ │ ├── profepa/ │ ├── promtel/ │ ├── secretaria_agricultura/ │ ├── secretaria_bienestar/ │ ├── secretaria_ciencia_tecnologia/ │ ├── secretaria_comunicaciones/ │ ├── secretaria_cultura/ │ ├── secretaria_desarrollo_territorial/ │ ├── secretaria_economia/ │ ├── secretaria_educacion/ *** CURP/RFC/PII *** │ ├── secretaria_gobernacion/ *** Irregular migration *** │ ├── secretaria_hacienda/ │ ├── secretaria_marina/ │ ├── secretaria_medio_ambiente/ │ ├── secretaria_mujeres/ │ ├── secretaria_relaciones_exteriores/ │ ├── secretaria_salud/ *** Birth & Death records *** │ ├── secretaria_seguridad/ │ ├── secretaria_trabajo/ │ ├── secretaria_turismo/ │ ├── segalmex/ │ ├── sgm/ (Geological survey) │ ├── spr/ (SPR) │ └── sesnsp/ ├── api_update/ (177 agency directories — actively maintained) ├── prueba/ (test) ├── prueba_rem/ (remote test) ├── s_agricultura_des_rural/ ├── s_ciencia_human_tec_inov/ ├── s_cultura/ ├── s_economia/ ├── s_educacion_publica/ ├── s_hacienda_cred_publico/ ├── s_infra_comunic_transportes/ ├── s_medio_ambiente_rec_naturales/ ├── s_salud/ ├── s_trabajo_prev_social/ ├── s_turismo/ ├── compranet_historico.csv (907.5 MB — procurement) ├── 01_CYB_ENE_2025.csv (988 B) └── listado_2_riesgos_climatologicos_092025_son.csv (1.4 KB) ``` --- ## Top 20 Largest Files | # | File | Size | |---|------|------| | 1 | `/all_data/secretaria_salud/.../2012_sinac2012DatosAbiertos.csv` | 1,102.7 MB | | 2 | `/all_data/secretaria_salud/.../2013_sinac2013DatosAbiertos.csv` | 1,097.9 MB | | 3 | `/all_data/secretaria_salud/.../2015_sinac2015DatosAbiertos.csv` | 1,096.8 MB | | 4 | `/all_data/secretaria_salud/.../2014_sinac2014DatosAbiertos.csv` | 1,090.7 MB | | 5 | `/all_data/secretaria_salud/.../2011_sinac2011DatosAbiertos.csv` | 1,080.0 MB | | 6 | `/all_data/secretaria_salud/.../2016_sinac2016DatosAbiertos.csv` | 1,074.8 MB | | 7 | `/all_data/secretaria_salud/.../2010_sinac2010DatosAbiertos.csv` | 1,012.3 MB | | 8 | `/all_data/secretaria_salud/.../2009_sinac2009DatosAbiertos.csv` | 967.3 MB | | 9 | `/all_data/secretaria_salud/.../2008_sinac2008DatosAbiertos.csv` | 925.0 MB | | 10 | `/compranet_historico.csv` | 907.5 MB | | 11 | `/all_data/secretaria_salud/.../2017_sinac2017DatosAbiertos.csv` | 711.6 MB | | 12 | `/all_data/secretaria_salud/.../2019_sinac2019DatosAbiertos.csv` | 638.6 MB | | 13 | `/CRE/precios_gas_lp/Historico_Precios_Expendios.csv_2024.csv` | 627.7 MB | | 14 | `/CRE/precios_gas_lp/Historico_Precios_Expendios.csv_2023.csv` | 619.7 MB | | 15 | `/all_data/secretaria_salud/.../2018_sinac2018DatosAbiertos.csv` | 648.7 MB | | 16 | `/all_data/secretaria_educacion/.../CATALOGO_CENTRO_TRABAJO_01_16_CSV.csv` | 244.1 MB | | 17 | `/INM/regulacion_migratoria/Tramites_Migratorios.csv` | 227.8 MB | | 18 | `/all_data/secretaria_salud/.../defunciones_registradas_2021.csv` | 230.2 MB | | 19 | `/all_data/secretaria_salud/.../defunciones_registradas_2020.csv` | 223.1 MB | | 20 | `/all_data/secretaria_gobernacion/.../situ_irregular_2023.csv` | 175.5 MB | --- ## 177 Agencies in api_update (actively maintained) Notable agencies with recent activity (Feb 2026): - `censida` — HIV/AIDS (Feb 25) - `secretaria_hacienda` — Treasury (Feb 24) - `sgm` — Geological Service (Feb 24) - `asipona_salina_cruz` — Port Authority (Feb 24) - `condusef` — Financial Services (Feb 20) - `profepa` — Environmental Protection (Feb 19) - `secretaria_seguridad` — Security (Feb 19) - `secretaria_economia` — Economy (Feb 17) - `secretaria_educacion` — Education (Feb 17) Full list includes: STPS, aefcm, agn, agroasemex, aicm, alimentacion_bienestar, amexcid, apbp, artf, asea, asipona_cabo_san_lucas, asipona_dos_bocas, asipona_ensenada, asipona_mazatlan, asipona_salina_cruz, asipona_topolobampo, attrapi, babien, bioetica, canal22, capufe, ccc, ceav, cecut, cenace, cenagas, cenam, cenatra, censida, ceti, cfcrl, cfe, ciad, ciatec, cibnor, cicese, cide, cidesi, ciit, cij, cimat, cinvestav, ciqa, cmm, cnbbbj, cne, cnegsr, cofaa_ipn, colpos, colsan, conadesuca, conafe, conafor, conagua, conahcyt, conalep, conamed, conanp, conapesca, conapo, conapred, conasami, conavi, conbioetica, condusef, consar, crt, csaegro, csnf, cultura, diconsa, ecosur, eradio, essa, fiderh, fifomi, fifonafe, finabien, fira, focir, fonacot, fonatur_infraestructura, gafsacomm, hgmgg, himfg, hjm, iepsa, imcine, ime, imjuve, imme, impi, imr, imss_bienestar, imt, inDEP, inaes, inah, inaoe, inbal, incan, incich, indaabin, indautor, indep, indetec, inea, inecc, ineel, inehrm, iner, infotec, inger, inin, inm, inp, inpi, inprfm, inr, insp, instituto_mora, ipab, ipicyt, ipn, issfam, issste, mujeres, nafin, pemex, poi_ipn, prodecon, profeco, profedet, profepa, promtel, pronabive, prs, ran, sabg, sader, sat, secihti, secretaria_agricultura, secretaria_ciencia_tecnologia, secretaria_comunicaciones, secretaria_cultura, secretaria_desarrollo_territorial, secretaria_economia, secretaria_educacion, secretaria_hacienda, secretaria_salud, secretaria_seguridad, secretaria_trabajo, sedatu, sedena, segalmex, semar, senasica, sener, sep, sepomex, sesna, sesnsp, sfp, sgm, sipinna, spf, spr, sre, sspc, stps, tecnm, tgm, tp, tren_maya, upn, usicamm --- ## Infrastructure Notes - Server: nginx with autoindex JSON format - No robots.txt blocking - No rate limiting observed - No authentication on any path - SSL certificate present - HTTP 403 on root without trailing slash (redirect issue) - HTTP 404 for .git/, .env paths (no source code exposed) - All data accessible via direct URL construction - api_update directory shows daily automated updates from agencies --- ## Sample Download Commands ```bash # Download birth records (2023) curl -skL -o sinac_2023.csv "https://repodatos.atdt.gob.mx/all_data/secretaria_salud/77c166cc-bcbf-4b28-806e-f2a60c3de821/2023_Nacimientos_2023.csv" # Download death records (2023) curl -skL -o defunciones_2023.csv "https://repodatos.atdt.gob.mx/all_data/secretaria_salud/6fecbbb3-afd9-44a1-8665-679a80ce4a15/defunciones_registradas_2023.csv" # Download migration tramites curl -skL -o tramites_migratorios.csv "https://repodatos.atdt.gob.mx/INM/regulacion_migratoria/Tramites_Migratorios.csv" # Download irregular migration events curl -skL -o irregular_migration_2023.csv "https://repodatos.atdt.gob.mx/all_data/secretaria_gobernacion/eventos_migratoria_irregular_2023/situ_irregular_2023.csv" # Download education centers (with CURP/RFC) curl -skL -o educacion_all_states.csv "https://repodatos.atdt.gob.mx/all_data/secretaria_educacion/2a1d047c-546b-4293-971a-c835689a37a5/CATALOGO_CENTRO_TRABAJO_01_16_CSV.csv" # Download crime incidence curl -skL -o crime_ene25.csv "https://repodatos.atdt.gob.mx/SESNSP/incidencia_delictiva/IDM_NM_ene25.csv" # Download procurement history curl -skL -o compranet.csv "https://repodatos.atdt.gob.mx/compranet_historico.csv" ``` --- ## Risk Summary | Category | Impact | |----------|--------| | PII Exposure | CRITICAL — CURP, RFC, names, phones, emails in education data | | Health Data | CRITICAL — 85M+ birth/death records with medical details | | Migration Data | HIGH — 2M+ migration records including irregular border crossings | | Scale | EXTREME — 64 GB mirrored, 186M+ records, 177 agencies | | Access Control | NONE — Zero authentication | | Active Status | YES — api_update modified daily as of Feb 24, 2026 | | Remediation | Requires authentication layer on nginx directory listings |