A data breach has reportedly hit Peru’s National Registry of Identification and Civil Status (RENIEC), a state entity responsible for managing the country’s civil registry and digital identification system.
A threat actor claims to have leaked a database containing 146,199 images of individuals, including updated facial photographs from 2025.
The breach raises serious concerns about privacy, data protection, and the security of Peru’s critical identification infrastructure.
Details of the Breach
According to the post from DarkWebInformer, the leaked dataset allegedly includes high-resolution images used in RENIEC’s biometric facial recognition system.
These images are integral to Peru’s Documento Nacional de Identidad (DNI), a digital ID that employs advanced biometric technologies for identity verification.
RENIEC recently adopted Switzerland-based Tech5’s T5-OmniMatch ABIS platform for facial recognition and liveness checks, which complies with ISO and ICAO biometric standards.
The breach could undermine public trust in this system, which has been touted as one of the most advanced in Latin America.
The threat actor behind the leak has not disclosed how the data was obtained but claims it includes sensitive personal information tied to RENIEC’s centralized database.
This incident follows RENIEC’s recent struggles with cybersecurity; the institution reported blocking over 4 million cyberattacks in recent months.
Legal and Privacy Implications
Peru’s Personal Data Protection Law (PDPL) N° 29733 mandates strict safeguards for personal information, including sensitive biometric data.
Under the newly enacted Supreme Decree N° 016-2024-JUS, organizations are required to notify authorities promptly about security incidents involving personal data.
RENIEC will likely face scrutiny from the National Authority for Personal Data Protection (ANPDP) if the breach is confirmed.
The compromised data could violate Article 2 of Peru’s Constitution, which guarantees citizens’ right to privacy.
Additionally, RENIEC’s role as a trusted public institution may be jeopardized, especially as it oversees vital civil registration functions like births, marriages, and deaths.
Potential Risks
The exposure of biometric data poses severe risks beyond traditional identity theft.
Unlike passwords or PINs, biometric identifiers such as facial images cannot be changed once compromised.
Criminals could exploit this data for:
- Identity Fraud: Using stolen images to impersonate individuals in financial or legal transactions.
- Deepfake Technology: Creating realistic but fraudulent media content.
- Social Engineering Attacks: Leveraging personal details for targeted scams.
Such risks are particularly concerning given Peru’s reliance on digital IDs for accessing essential services like banking, healthcare, and voting.
RENIEC’s Troubled History
This breach adds to a series of challenges faced by RENIEC in recent years.
In 2024, employees protested against institutional mismanagement and technological failures that disrupted services across the country.
Frequent system crashes and delays in implementing robust cybersecurity measures have been recurring issues.
Despite these setbacks, RENIEC has been at the forefront of Peru’s digital transformation.
Its DNI program is considered a cornerstone of social inclusion initiatives, providing legal identity to millions of undocumented citizens through innovative outreach efforts.
However, this breach could erode confidence in its ability to safeguard sensitive information.
Next Steps
If verified, this incident will likely trigger an investigation by Peruvian authorities under the Digital Trust Framework established by Emergency Decree 007-2020.
RENIEC will also need to collaborate with cybersecurity experts to assess vulnerabilities and implement stronger safeguards.
For now, citizens are advised to remain vigilant against potential scams or fraud attempts linked to this breach.
Updates from RENIEC and government agencies are expected in the coming days as they work to address this alarming situation.
This incident underscores the urgent need for robust cybersecurity measures in safeguarding national identification systems—a lesson not just for Peru but for nations worldwide navigating their digital transformation journeys.
Also Read:
%20(1).webp?resize=1600,900&ssl=1&description=A threat actor claims to have leaked a database containing 146,199 images of individuals, including updated facial photographs from 2025.){kind=link}