SAT: huachicoleo of personal data

I suggest you, dear reader, prepare yourself some tea for your nerves and take a seat. What follows can leave you cold. They are the confessions of Raquel Buenrostro Sánchez, head of the tax collection office in Mexico, about an illegitimate extraction of all the information from that office —yes, all the information— that lasted between 10 and 15 years.

Is a Extraction of fiscal, patrimonial and personal data 31 million natural persons, 47 million salaried persons (who pay taxes through their employers) and 2.3 million legal persons. The law considers it a “security breach”, because it is theft, loss or unauthorized copy of personal information and because it is an unauthorized use, access or treatment.

Buenrostro learned of this systematic robbery three months after arriving at the SAT (Tax Administration Service) and, two years later, just decided to notify the public.

The personal data protection office, the inai, has to defend our human rights. You have to investigate this data breach and also to Buenrostro, for denying citizens and taxpayers the opportunity to protect themselves in time from improper use of their personal information.

Let’s analyze Buenrostro’s statements made to the newspaper La Jornada last April 20:

one.The first three months we were here we found three cables coming out of the SAT servers”. Buenrostro took office on January 15, 2020. If the theft of information lasted between 10 and 15 years, then the illegitimate transfers occurred during the leadership of José María Zubiría Maqueo (head of the SAT with Calderón), Alfredo Gutiérrez Ortiz Mena ( Calderón), Aristóteles Núñez Sánchez (Peña Nieto), Osvaldo Santín Quiroz (Peña Nieto), and Margarita Ríos Farjat (López Obrador). Gutiérrez Ortiz Mena and Ríos Farjat today are ministers of the Supreme Court.

two. “Forget that the information on the USB is stolen or a tax advisor who is there in the office does it. Nerd. There were three cables in the servers”. Three direct connections to the information bases of the SAT. We are not talking about a simple huachicoleo —the crime of extracting hydrocarbon pipelines—, but about a professional theft permitted by SAT officials by action or omission.

3.(We found) 35,000 user ports that had access to all the SAT information”. This statement by Buenrostro has two clues, so let’s go in parts.

3.1. An access port is an entry way to an information repository. The servers of SAT they had—because we’re guessing they’re already disabled—35,000 professionally drilled holes. I insist: we are not talking about a hack or a cybernetic violation, but an authorized, permitted violation.

3.2. Buenrostro assured that the ports gave access to “all the information of the SAT”. This means that, only in terms of personal information, those invited to the data feast had access to the password and the files of the electronic signature (e.firma), at Federal taxpayer registrationto the taxpayer’s address, to their email, to their tax returns, to their tax refund requests, to their sales records of goods and services, to their biometric data, those that are unique and irreplaceable.

Four.Who has the information? It was held by a lot of people who we don’t even know who they are. At least 40,000 people who who knows who they are, who they work for. Some we have identified, others we do not”. Can you imagine the capacity to harm, commit fraud and usurp identities that people with access to that data have?

5.So who has the SAT information? Almost 40,000 people so far, but surely they are not the only ones”. Plop.

If you are in the Federal taxpayer registration, rest assured that you have been affected. Report to SAT for the misuse of your personal data. Ask for reports at inai on the phone 800 835 43 24.

I am that I do not believe it. I don’t want to believe it. Because if true, it’s a nightmare.

Jose Soto Galindo

Editor of El Economista online


Journalist. Since 2010 he edits the digital version of El Economista in Mexico City. Master in Transparency and Protection of Personal Data from the University of Guadalajara. He has a specialization in telecommunications and information technology law. His personal blog is Economicon.

Leave a Comment