Morocco investigates major data breach allegedly by Algerian hackers

Morocco’s national social security agency is investigating a cyberattack that resulted in the leak of sensitive personal data reportedly belonging to millions of citizens. Local media described the incident as a politically motivated campaign by Algerian hackers.

The National Social Security Fund of Morocco (CNSS), which oversees healthcare, disability, and retirement benefits for the country’s private-sector employees, said hackers bypassed its security systems and leaked some of the agency’s data.

More than 54,000 files were allegedly stolen, exposing information on nearly 2 million people, according to Moroccan media reports. The files, some of which date back to November 2024, included names, national ID numbers, company affiliations, email addresses, phone numbers, and bank account details.

The documents were posted to a public Telegram channel earlier this week. In a statement, CNSS said some of the leaked materials appeared “misleading, inaccurate, or incomplete,” but confirmed that an investigation is underway.

The agency has not publicly attributed the attack to a specific threat actor. However, earlier this week a hacker group calling itself JabaROOT claimed responsibility for the breach and published a statement accusing Morocco of targeting Algerian institutions online. The group warned of further cyberattacks if Moroccan-linked actors continued what it described as digital harassment.

American security firm Resecurity said the stolen data was also uploaded to an underground forum on the dark web but has not been offered for sale — suggesting the motive may be political rather than financial. It noted that such tactics are sometimes used by espionage groups operating under the guise of hacktivists.

The breach is believed to have affected both Moroccan and foreign entities, including European firms operating locally, researchers said.

Cybersecurity company CybelAngel said the method of intrusion remains unclear, though early analysis points to a zero-day exploit or a vulnerability in third-party software, possibly involving Oracle-based systems.

JabaROOT also shared a screenshot showing the apparent defacement of the Moroccan Ministry of Labour’s website, which has since gone offline. Both attacks were framed as retaliation for the alleged hacking of the state media outlet Algeria Press Service’s X account by suspected Morocco-affiliated threat actors.

The account was renamed “Sahara Marocain,” referencing the long-standing geopolitical dispute between Morocco and Algeria over the Western Sahara region, before it was suspended following widespread media coverage.

Relations between Morocco and Algeria have remained tense and adversarial in recent years, marked by deepening political and territorial disputes. In August 2021, Algeria severed diplomatic ties with Morocco, leading to the closure of airspace, the halting of gas pipeline flows, and the imposition of visa requirements on Moroccan nationals.

The long-standing dispute over Western Sahara remains a central issue. Earlier this week, U.S. Senator Marco Rubio said he supports Morocco's plan for extensive autonomy for the Western Sahara region under its sovereignty — a stance that drew criticism from Algeria.