RENIEC Peru citizen data leak
A threat actor advertised a database said to hold around 37 million records from Peru's national identity registry RENIEC, including DNI numbers, names, birth data, and addresses; RENIEC disputed that its systems were breached.
- Victim
- RENIEC (Registro Nacional de Identificación y Estado Civil)
- records
- 37.0M
- users
- 37.0M
In late 2024 and through 2025, RENIEC — Peru's National Registry of Identification and Civil Status, custodian of the country's foundational identity database — became the focus of a series of leaks and disputed breach claims involving the personal data of tens of millions of citizens.
What happened
Around 1 November 2024, a threat actor advertised on a dark-web forum a database said to contain roughly 37 million records drawn from RENIEC, posting sample entries to prove authenticity. Because RENIEC underpins Peru's DNI (Documento Nacional de Identidad) system, the registry effectively mirrors the national population — making any leak of its data exceptionally sensitive.
The reported dataset included:
- DNI numbers and full names (paternal surname, maternal surname, given names).
- Birth date and place; DNI issue and expiry dates.
- Home addresses, civil status, gender, and parental details.
A disputed breach
Crucially, RENIEC denied that its own servers were hacked. The registry instead pointed to possible misuse of authorized access by another government body, specifically the Ministry of the Interior (Mininter), which queries RENIEC data through Peru's state PIDE interoperability platform. Government bodies including the PCM (Presidency of the Council of Ministers) issued statements disputing that personal data had been exfiltrated through PIDE. The episode therefore became as much a story about insider access and interoperability governance as about an external intrusion.
Recurring exposures
The 2024 leak was not isolated. In April 2025, a separate dump surfaced containing 146,199 high-resolution biometric facial photographs tied to RENIEC's DNI system — a particularly grave exposure, since biometric identifiers cannot be reissued the way a password or card number can. Further unauthorized-access claims emerged later in 2025, keeping RENIEC's security under sustained public scrutiny.
Why it matters
The RENIEC incidents struck at the root of trust for Peruvian digital identity. Unlike a bank or telecom leak, a compromise of the national identity registry undermines the very dataset against which every other institution verifies citizens. The disputed attribution — RENIEC versus Mininter, with the PIDE platform in between — also exposed a structural weakness common to interoperable e-government systems: once dozens of agencies can query a central registry, a breach anywhere in the chain can expose the whole population, while making accountability difficult to assign. The case has driven calls in Peru for stronger access controls, auditing of interoperability queries, and enforcement under the country's personal-data-protection authority.
Timeline
A threat actor advertises a database said to contain around 37 million RENIEC records on a dark-web forum, posting sample data.
Researchers note the dataset includes DNI numbers, full names, birth data, DNI issue/expiry dates, addresses, civil status, and parental details.
RENIEC denies that its servers were hacked and points to possible misuse of access by the Ministry of the Interior (Mininter).
A separate leak surfaces: 146,199 high-resolution RENIEC biometric facial photographs are posted online.
Further unauthorized access to RENIEC data is reported, reigniting debate over the registry's security and the PIDE interoperability platform.
Sources
- dailydarkweb.nethttps://dailydarkweb.net/reniec-allegedly-breached-37m-citizen-data-leaked/
- cyberpress.orghttps://cyberpress.org/reniec-data-leaked/
- ground.newshttps://ground.news/article/reniec-pronounces-on-alleged-hacking-and-points-to-mininter-this-is-what-the-official-statement-says
- latin-american.newshttps://latin-american.news/pcm-denies-reniec-and-rules-out-that-personal-data-was-leaked-through-pide/