When Social Security Becomes Social Insecurity: How Morocco's CNSS Hack Exposed 2 Million Lives

The Morocco CNSS Cyberattack: A Wake-Up Call for Critical Infrastructure Security.

In April 2025, Morocco faced what cybersecurity experts are calling one of the most significant data breaches in the country's history. The National Social Security Fund of Morocco (CNSS) fell victim to a devastating cyberattack that exposed the personal information of nearly 2 million citizens and highlighted the growing threat of politically motivated cybercrime.

The Attack: Scale and Sophistication

The threat actor has leaked a CSV file containing personal information about 1,996,026 employees from various enterprises operating in Morocco. Operating under the alias "Jabaroot," the attackers didn't just breach one system—they orchestrated a coordinated assault that resulted in personal information being leaked on the messaging app Telegram.

The scope of the breach was staggering. More than 54,000 files were allegedly stolen, exposing information on nearly 2 million people, according to Moroccan media reports. The compromised data included some of the most sensitive information possible:

• Names and national ID numbers

• Company affiliations and employment details

• Email addresses and phone numbers

• Bank account details

• Salary information

• Government employee records

What makes this attack particularly concerning is that the stolen dataset was included in a 7z archive with timestamps from November 29, 2024, suggesting the attackers may have had access to the systems for months before making their breach public.

Political Motivations Behind the Attack

This wasn't a typical financially motivated cybercrime. The hackers who posted the documents on Telegram said the attack was in response to alleged Moroccan "harassment" of Algeria on social media platforms, pledging additional cyberattacks if Algerian sites were targeted.

The attack reflects the deteriorating relationship between Morocco and Algeria, two North African neighbors whose tensions have spilled over into cyberspace. In August 2021, Algeria severed diplomatic ties with Morocco, leading to the closure of airspace, the halting of gas pipeline flows, and the imposition of visa requirements on Moroccan nationals.

Morocco's government spokesperson linked the attack to what he said was growing support for Morocco in the conflict from the international community — something he said "disturbs the enemies of our country to the point of attempting to harm it through these hostile actions."

The Ripple Effects: Who Was Impacted

The breach didn't just affect ordinary citizens—it exposed data from across Morocco's power structure. The data breach also affected government employees. Representatives of the multiple government agencies in Morocco have been identified in the leak. This included sensitive information from:

• The Moroccan Agency for Investment and Export Development

• The Ministry of Economy and Finance

• The Ministry of Health

• The National Agency for the Promotion of Small Businesses

• The General Treasury of the Kingdom

• Even the Israeli liaison office in Rabat

Perhaps most troubling, among the leaked documents is salary information that, if accurate, would reflect vast inequalities that continue to plague Morocco despite its strides in economic development. This data could be weaponized for social engineering attacks, identity theft, and even political destabilization.

International Implications

The attack also had international ramifications. The breach affects entities in Morocco and poses a risk for foreign companies operating in the country, as multiple branches of EU-based companies have been identified in the leaked data. This demonstrates how modern cyber attacks can quickly transcend national boundaries, affecting multinational corporations and international business relationships.

Response and Containment Efforts

Morocco's response highlighted both swift action and ongoing vulnerabilities. "As soon as the data leak was observed, the IT security protocol was activated with corrective measures that contained the path used and strengthened infrastructures," the CNSS stated.

However, the agency's defensive stance raised questions about data integrity. The CNSS confirmed its computer system had been subjected to a series of cyberattacks aimed at circumventing security measures, resulting in a data leak whose "origins and contours are currently being evaluated." The organization claimed that many leaked documents were "misleading, inaccurate, or incomplete."

Lessons for Cybersecurity Professionals

This attack offers several critical lessons for organizations worldwide:

1. Political Tensions Create Cyber Risks Modern conflicts increasingly play out in cyberspace. Organizations in politically sensitive regions must factor geopolitical tensions into their threat modeling and security planning.

2. State-Adjacent Actors Are Evolving The alias Jabaroot first appeared on the cybercrime forum BreachForums and on Telegram on April 8th, 2025. Since then, the threat actor's Telegram channel has quickly gained traction, amassing over 8,000 subscribers. This shows how quickly politically motivated attackers can build influence and coordinate campaigns.

3. Critical Infrastructure Remains Vulnerable Social security systems hold some of the most sensitive data about a nation's citizens. The fact that such a system could be compromised and data extracted over months demonstrates the urgent need for enhanced security measures around critical infrastructure.

4. Data Validation Is Crucial The ongoing dispute over the authenticity of leaked data highlights the importance of having robust data integrity measures and the ability to quickly verify what information has been compromised.

Looking Forward: Strengthening Defenses

The Morocco CNSS attack serves as a stark reminder that cybersecurity is not just a technical challenge—it's a national security imperative. As cyber attacks become increasingly intertwined with geopolitical conflicts, organizations must:

• Implement robust monitoring systems to detect long-term intrusions

• Develop incident response plans that account for politically motivated attacks

• Strengthen international cooperation on cybersecurity threats

• Invest in both technical defenses and employee training

The digital age has made critical infrastructure a prime target for state and state-adjacent actors seeking to inflict maximum damage with minimal resources. The Morocco attack demonstrates that in our interconnected world, a successful cyberattack can expose millions of citizens, damage international relationships, and undermine confidence in digital systems.

As we move forward, the cybersecurity community must learn from incidents like this to build more resilient systems and protect the critical data that underpins modern society. The cost of inadequate cybersecurity—measured in compromised privacy, damaged trust, and geopolitical instability—is simply too high to ignore.

The Morocco CNSS cyberattack represents a new frontier in cyber warfare where geopolitical tensions directly translate into attacks on civilian infrastructure. For cybersecurity professionals, it's a reminder that our work extends far beyond protecting corporate assets—we're guardians of the digital infrastructure that modern society depends on.