A database containing personal and medical information of around 20 million IMSS pensioners is circulating on the dark web, that hidden corner of the internet where illegal activities thrive. The database, titled “IMSS Pensioners 2025,” is about 1.4 GB in size and has reportedly been up for sale since early August.
It was revealed that the attacker, using the alias “Scorpion,” gained access to confidential IMSS data that should have been protected by the institution itself. This leak exposes a serious failure in the security systems of a federal agency responsible for safeguarding the personal data of millions of Mexicans.
What data was stolen from IMSS pensioners?
According to cybersecurity experts, the leaked information is highly sensitive and appears to be authentic. Evidence shows that the database is extremely detailed, containing both personal and medical information on millions of individuals.
Screenshots shared by analysts of the breach clearly show records that include:
-
Full name and surnames
-
CURP and RFC
-
Business name
-
Diagnosed illnesses
-
Medical history
One of the most alarming examples shows a record of a person diagnosed with prostate cancer, diabetes mellitus, and hypertension—data that should be entirely private and confidential.
This kind of exposure not only represents a serious violation of privacy but also a real risk of fraud, extortion, or discrimination, especially against elderly individuals and those in vulnerable situations.
Screenshot of Stolen IMSS Retiree Data Being Sold on Underground Forums (Source: Ignacio Gómez Villaseñor)
Read more: Google Tells You If Your Data Is on the Dark Web
Why Is This Leak So Serious?
Because this isn’t just a list of names—it’s a full database containing personal and medical information of 20 million IMSS retirees, now up for sale on clandestine dark web forums.
This type of data can be used to commit bank fraud, extortion, or identity theft, posing a huge risk—especially for elderly individuals who tend to be more vulnerable to such crimes.
The dark web, also known as the "web oscura" in Spanish, is a part of the internet that’s not accessible through regular browsers. There, users’ identities remain hidden, making it easier to sell stolen data and carry out other illegal activities.
According to cybersecurity experts, this leak threatens not only the financial security of those affected but also their medical privacy. The data could be used to impersonate healthcare institutions, labs, or even to carry out fraudulent procedures in the victims’ names.
Moreover, this case makes it clear that protecting personal and health data is no longer a luxury—it’s an urgent necessity. Mexican authorities and institutions must act to strengthen their cybersecurity systems, but it’s also essential for citizens to stay informed and learn how to handle their digital information with greater caution.