Moroccan watchdog condemns government’s handling of massive CNSS data leak

Transparency Maroc, a leading anti-corruption watchdog, has voiced “profound concern” following a major cybersecurity breach involving Morocco’s National Social Security Fund (CNSS), which exposed the personal data of nearly two million individuals and around 500,000 businesses. In a strongly worded statement released on Monday, the organization warned that the ramifications of the breach could severely undermine public trust and destabilize the country’s social fabric.

According to the NGO, the breach—one of the most severe in Morocco’s history—also affected other government institutions, including the Ministry of Employment. The attackers accessed and leaked critical information such as full names, national ID and passport numbers, contact details, salary information, and even banking credentials.

Transparency Maroc criticized the government’s response to the incident as inadequate and opaque. “These leaks could destabilize and threaten social and national peace,” the organization stated, citing Article 24 of Morocco’s Constitution and Law 09-08, which governs the protection of personal data, as clear legal safeguards that were violated.

Rather than offering reassurance or transparency, affected institutions allegedly responded with “threat and intimidation,” according to the watchdog. The group expressed particular concern over the silence of ministers who chair the boards of the implicated entities. “The ministers concerned have not made themselves heard,” Transparency Maroc noted, emphasizing the need for public accountability.

Cybersecurity experts have identified deep-rooted vulnerabilities in Morocco’s digital infrastructure as contributing factors to the breach. These include outdated software systems, a lack of personnel training, and weak governance protocols. The breach has called into question the overall resilience of the nation’s cybersecurity defenses, despite previously lauded efforts by institutions like the General Directorate of Information Systems Security (DGSSI) and the National Commission for the Control of Personal Data Protection (CNDP).

In its statement, Transparency Maroc demanded the government fully disclose its cybersecurity strategy and clarify the steps taken to protect citizens’ personal data. The organization also raised serious concerns over conflicts of interest in how digital security services are procured, specifically questioning the roles of service providers involved in audit missions, software sales, and other consulting services.

Moreover, the watchdog called for public disclosure of the results of Tender Offer No. 15/2021, issued in August 2021, which was aimed at helping the CNSS comply with Law 09-08. Transparency Maroc argued that the results of such procurement processes should be readily available on the CNSS website in accordance with legal transparency standards.