Morocco's Cybersecurity Crisis: When Five Security Contracts Aren't Enough — What CNSS, ANCFCC, and the Ministry of Justice Breaches Reveal About Governance Failures
Executive Summary
Between March 2025 and April 2026, Morocco experienced a concentrated wave of cyberattacks targeting its most critical public institutions. The National Social Security Fund (CNSS), the National Agency for Land Conservation (ANCFCC), the Ministry of Justice, the data protection authority (CNDP), and the vocational training office (OFPPT) were all compromised — in some cases by the same threat actor.
The scale is unprecedented for a North African nation:
- 1,996,026 employees and ~500,000 companies had their personal and financial data exfiltrated from the CNSS
- 53,574 PDF files containing salary details were published on Telegram
- 5,000 judges and 35,000 judicial staff had their data claimed as stolen from the Ministry of Justice
- 400,000+ student records from OFPPT were offered for sale on the dark web
- 20.7 million attack attempts were detected across Morocco in H1 2025 alone
The most revealing detail: the CNSS had signed five cybersecurity contracts in the year preceding the breach — and a previous breach in 2020 had already exposed over 3.5 million users through an unsecured access point.
This is not a story about insufficient tools. It is a story about insufficient governance.
This analysis maps every incident to DORA incident management, ICT risk governance, third-party ICT risk, and resilience testing, as well as Bank Al-Maghrib's public risk management and business continuity expectations. It examines the structural failures that made these breaches possible, and explains why operational resilience requires governance infrastructure — not just security products.
Timeline: 13 Months of Institutional Compromise
March 9, 2025 — CNDP (Data Protection Authority)
The Commission nationale de controle de la protection des donnees personnelles — the very authority responsible for enforcing Morocco's data protection framework under Law 09-08 — had its official website compromised by hackers. The attack was attributed to actors believed to originate from Asia.
Source: Agence de Presse Africaine (APA News), March 2025.
Regulatory significance: The CNDP is the enforcer of Law 09-08, Morocco's equivalent of the EU's GDPR. Its compromise undermines the credibility of the entire national data protection framework. Under DORA Article 19(1), major ICT-related incidents at regulatory bodies would themselves require notification — highlighting the systemic nature of governance failures.
April 8, 2025 — CNSS and Ministry of Employment
A threat actor operating under the alias "Jabaroot" — claiming to be an Algerian hacktivist group operating via the Telegram channel "JabarootDZ" — exfiltrated and publicly released massive volumes of data from the Caisse nationale de securite sociale (CNSS) and the Ministry of Employment.
Data compromised:
| Category | Volume | Source |
|---|---|---|
| Employees exposed | 1,996,026 | France 24, Medias24, Resecurity |
| Companies affected | ~500,000 | France 24, Medias24 |
| PDF salary files published | 53,574 | Medias24 |
| Data types | CIN (national ID), bank account numbers (RIB), phone numbers, salary details, employer affiliations | France 24, Resecurity, Medias24 |
Affected institutions included: The Moroccan Agency for Investment and Export Development (AMDIE), the Ministry of Economy and Finance, the Ministry of Health, Maroc PME, the Moroccan Pension Fund, the General Treasury of the Kingdom, and ONSSA (National Office for Product Safety).
Source: France 24 (April 10, 2025), Medias24 (April 9-12, 2025), Resecurity (April 2025), Euronews (April 10, 2025), SecurityAffairs (April 2025).
Technical analysis: According to Resecurity's investigation, the attack likely exploited a zero-day vulnerability in a third-party Oracle-based system, enabling infiltration without triggering detection systems. The attackers reportedly bypassed internal security protocols and accessed large volumes of unencrypted data — indicating a failure in data-at-rest encryption controls.
Critical context: According to investigative reporting by Medias24, the CNSS had signed five cybersecurity contracts in the twelve months preceding the breach. Five procurement contracts for security consulting, training, software, and hardware — yet the data ended up on Telegram.
Furthermore, this was not the first CNSS breach. Resecurity's analysis references a 2020 incident that exposed over 3.5 million users through an unsecured access point. Despite that earlier warning, several vulnerabilities persisted — particularly around access control, encryption practices, and third-party system oversight.
Government response: On April 10, 2025, government spokesman Mustapha Baitas qualified the attacks as "criminal acts" perpetrated by "hostile parties" during an official press conference.
Post-breach remediation: In September 2025, the CNSS launched an international tender worth MAD 40 million (~$4 million USD) to strengthen its cybersecurity infrastructure.
Sources: Medias24 (April 10, 2025 — five cybersecurity contracts), Resecurity (technical analysis), Morocco World News (September 2025 — $4M allocation).
June 2, 2025 — ANCFCC (National Land Conservation Agency)
The same "Jabaroot" threat actor claimed responsibility for a data leak from Morocco's National Agency for Land Conservation, Cadastre, and Cartography (ANCFCC). The breach was announced on the dark web forum DarkForums.
Source: CybelAngel (Flash Report, June 2025).
Regulatory significance: The ANCFCC manages Morocco's national property registry — a system containing highly sensitive land ownership, title, and cadastral data for the entire country. A compromise of this system affects property rights, commercial real estate, and financial collateral valuation across the banking sector.
June 2025 — Ministry of Justice
Hackers claimed to have obtained the personal information of approximately 5,000 judges and 35,000 members of judicial staff from the Ministry of Justice.
Source: Jeune Afrique (June 2025).
Regulatory significance: The compromise of judicial data represents a national security incident beyond cybersecurity — it potentially enables targeted influence operations, blackmail, and interference with judicial independence.
September 2025 — CNSS (Second Attack)
A new hacker — distinct from Jabaroot — claimed a second successful attack against the CNSS. The claim was confirmed by a cybersecurity expert.
Source: Medias24 (September 9, 2025).
Significance: A second breach occurring five months after the first — and after the government's public commitment to cybersecurity reinforcement — demonstrates that the structural vulnerabilities were not resolved by the initial incident response.
April 2026 — OFPPT (Vocational Training)
A threat actor using the alias "anisanas2" claimed to have breached the database of Morocco's Office of Vocational Training and Employment Promotion (OFPPT). A sample of 100,000 records was released as proof, with the full dataset — allegedly containing more than 400,000 student records — offered for sale on underground forums and the dark web.
Source: Morocco World News (April 2026).
Aggregate Threat Landscape
Kaspersky's telemetry detected 20.7 million attack attempts targeting Morocco in the first half of 2025 alone.
Source: Kaspersky, via ecoactu.ma and industries.ma.
The Governance Gap: Why Five Contracts Weren't Enough
The CNSS case is emblematic of a structural problem that extends far beyond Morocco: the confusion between security procurement and security governance.
What the CNSS Had
- Five cybersecurity contracts covering consulting, training, software, and hardware
- A cybersecurity budget of MAD 4.8 million in 2024
- Security tools deployed across its infrastructure
What the CNSS Did Not Have (Based on Outcome Evidence)
- Encrypted data at rest. Resecurity's analysis indicates attackers accessed "large volumes of unencrypted data." Under DORA Article 9(4)(c), financial entities must implement "policies and procedures regarding cryptographic controls, including encryption" for data at rest and in transit.
- Effective third-party oversight. The attack vector was a third-party Oracle-based system. Under DORA Articles 28-30, organizations must assess third-party ICT risk, enforce contractual security requirements, and maintain exit strategies. BAM's outsourcing directive requires prior notification and ongoing monitoring of outsourced ICT services.
- Lessons-learned integration. The 2020 breach exposed 3.5 million users through an unsecured access point. The same categories of vulnerabilities — access control, encryption, third-party oversight — persisted through 2025. Under DORA Article 13, financial entities must maintain "learning and evolving" capabilities that integrate findings from previous incidents.
- Tested incident response. The public response timeline — government acknowledgment two days after public data exposure, no proactive citizen notification mechanism — suggests incident response procedures were either untested or insufficient. Under DORA Article 17(3), entities must establish "ICT-related incident management processes" that are regularly tested.
- Auditable governance. Transparency Maroc, the Moroccan chapter of Transparency International, issued a public statement calling for disclosure of "the strategy of public authorities regarding information systems security" and flagging conflicts of interest where service providers performed consulting, training, software sales, AND audit functions simultaneously.
Source: Transparency Maroc statement via Morocco World News (April 2025), Yabiladi (April 2025).
The Pattern
The CNSS case demonstrates that security tools without governance infrastructure produce a false sense of security. The institution invested in products. It did not invest in the governance layer that proves those products are configured correctly, monitored continuously, tested regularly, and improved systematically.
This distinction — between protection and proof — is the central insight of operational resilience regulation, whether DORA in Europe or BAM directives in Morocco.
Regulatory Mapping: What DORA and BAM Require
DORA Requirements (for Moroccan banks with EU subsidiaries)
Moroccan banking groups with European subsidiaries — including Attijariwafa Bank (present in France, Belgium, Germany, Italy, Netherlands, Spain), Bank of Africa/BMCE (present in France, Belgium, Spain, Netherlands, UK), and Banque Centrale Populaire — are directly subject to DORA through their EU-licensed entities.
| DORA Requirement | Article | Relevance to Morocco Crisis |
|---|---|---|
| ICT risk management framework | Art. 5-16 | CNSS lacked integrated risk governance despite security spending |
| ICT asset identification and classification | Art. 8 | No evidence of comprehensive asset inventory or dependency mapping |
| Data encryption at rest and in transit | Art. 9(4)(c) | Resecurity found unencrypted data accessible to attackers |
| Learning and evolving | Art. 13 | 2020 breach lessons not integrated — same vulnerability categories in 2025 |
| ICT incident management process | Art. 17 | Incident response was reactive, not tested proactively |
| Incident classification and reporting | Art. 18-19 | No structured classification; 4h/72h/1m reporting timeline not applicable but illustrative |
| Third-party ICT risk management | Art. 28-30 | Third-party Oracle system was the attack vector; no evidence of contractual security enforcement |
| Concentration risk assessment | Art. 29 | Multiple institutions compromised by same actor suggests shared infrastructure dependencies |
| Resilience testing programme | Art. 24-27 | No evidence of tested recovery procedures |
Bank Al-Maghrib Requirements
BAM supervises 93 credit institutions in Morocco (as of end 2024, per BAM official statistics). Its regulatory framework includes:
| BAM Directive | Scope | Gap Exposed |
|---|---|---|
| Directive on IT Risk Management | IT governance, risk assessment, security controls, incident management | CNSS: governance framework failed to prevent or detect breach despite tool deployment |
| Directive PCA (Business Continuity) | BIA, recovery strategies, annual testing | No evidence of tested incident response or business continuity activation |
| Directive PRA (Disaster Recovery) | Recovery plans, RTO/RPO | Data recovery and containment timeline suggests untested recovery procedures |
| Directive on Outsourcing | Risk assessment, contractual safeguards, monitoring, exit planning | Third-party Oracle system exploited; vendor oversight insufficient |
| Circular on Cybersecurity | Cyber threat management | 20.7M attack attempts in H1 2025; tools detected some, governance prevented none |
Law 09-08 (Data Protection)
Morocco's data protection law establishes penalties for security failures:
| Infraction | Sanction | Source |
|---|---|---|
| Failure to implement adequate security measures | MAD 100,000 to 300,000 | Law 09-08, CNDP sanctions list |
| Unlawful processing of sensitive data | 3 months to 1 year imprisonment + fines | Law 09-08, Art. 51-65 |
| Failure to notify data subjects | Administrative sanctions (warning, injunction, withdrawal) | CNDP enforcement framework |
Source: CNDP official sanctions list; Law 09-08 via DGSSI.
Context: The maximum fine under Law 09-08 is MAD 300,000 (~EUR 28,000). Compare this to DORA's penalty framework: up to 2% of global annual turnover for financial entities, or EUR 1 million personal liability for board members. The deterrence gap between Moroccan and European data protection enforcement is significant — and Moroccan banks with EU subsidiaries face both regimes simultaneously.
What BAM and DORA Require That Morocco's Institutions Did Not Demonstrate
1. Asset Register with Dependency Mapping
DORA Art. 8 / BAM IT Risk Directive: Organizations must maintain a comprehensive, current inventory of all ICT assets with dependency mapping, criticality classification, and ownership assignment.
Morocco gap: Multiple institutions were breached through third-party systems, shared infrastructure, or unsecured access points — indicating either incomplete asset inventories or failure to classify and monitor dependencies.
2. Tested Incident Response
DORA Art. 17 / BAM PCA Directive: Incident management processes must be established, documented, and regularly tested.
Morocco gap: The public response to the CNSS breach — acknowledgment two days after data publication, no proactive notification mechanism, government spokesman statement rather than structured incident communication — suggests procedures existed on paper but had not been operationally validated.
3. Third-Party Risk Assessment
DORA Art. 28-30 / BAM Outsourcing Directive: Organizations must assess ICT third-party risk, enforce contractual security requirements, monitor service provider security posture, and maintain exit strategies.
Morocco gap: The CNSS attack vector was a third-party Oracle-based system. Transparency Maroc flagged conflicts of interest where vendors simultaneously provided consulting, software, and audit services — a violation of separation of duties principles fundamental to both DORA and BAM frameworks.
4. Evidence-Based Governance
DORA Art. 5(2) / BAM Governance Directive: The management body must approve, oversee, and periodically review the ICT risk management framework. Board members are personally accountable.
Morocco gap: Post-breach disclosures revealed that governance structures existed formally but did not produce auditable evidence of oversight, testing, or continuous improvement. Five cybersecurity contracts were signed — but no publicly available evidence suggests the outputs of those contracts were validated, tested, or independently audited for effectiveness.
5. Encryption and Access Control
DORA Art. 9(4)(c) / BAM Cybersecurity Circular: Cryptographic controls must protect data at rest and in transit. Access control must follow least-privilege principles.
Morocco gap: Resecurity's analysis found attackers accessed large volumes of unencrypted data. The 2020 breach occurred through an unsecured access point. Both incidents point to foundational access control and encryption failures that persisted across years and multiple security contracts.
The DGSSI Framework and National Response
Morocco's cybersecurity governance operates under the Direction Generale de la Securite des Systemes d'Information (DGSSI), designated as the National Cybersecurity Authority under Decree 2-21-406 (implementing Law 05-20 on cybersecurity).
The DGSSI published the National Directive on Information System Security (DNSSI) via Circular No. 3/2014, covering all public administrations, public institutions, and critical infrastructure operators. In November 2024, the Council of Ministers adopted a new decree on cloud use by critical entities (Decree 2-24-921), establishing security requirements and oversight mechanisms for cloud service providers.
Source: DGSSI official publications (dgssi.gov.ma).
These frameworks exist. The question raised by the 2025-2026 breach wave is whether they are being implemented, tested, and enforced — or whether they remain, like the CNSS cybersecurity contracts, a compliance artifact rather than an operational reality.
Lessons for Financial Institutions
1. Security Products ≠ Security Governance
The CNSS had five cybersecurity contracts and a dedicated budget. It was still breached — twice. Tools detect threats. Governance proves that detection is configured, monitored, tested, and improved. Without the governance layer, security spending is unverifiable.
2. Incident Response Must Be Tested Before It Is Needed
Every regulatory framework — DORA, BAM, ISO 22301, NIST — requires tested incident response procedures. A plan that has never been exercised under realistic conditions is an assumption, not a capability. The CNSS breach response timeline suggests the institution's procedures had not been operationally validated.
3. Third-Party Risk Is First-Party Risk
The CNSS was breached through a third-party Oracle-based system. The Marquis Financial Solutions breach in the US exposed 672,000 people across 74 banks through a single unpatched vendor firewall. SecurityScorecard's 2025 report found that 96% of Europe's top 100 banks experienced third-party breaches. The attack surface is not your perimeter — it is your entire supply chain.
4. Prior Breaches That Don't Produce Governance Changes Will Recur
The 2020 CNSS breach exposed 3.5 million users. The 2025 breach exposed 2 million. The September 2025 second attack confirmed that structural vulnerabilities survived the first incident. Without a formal lessons-learned process that produces traceable corrective actions — what DORA calls "learning and evolving" (Art. 13) — breach history becomes breach prophecy.
5. Data Protection Without Enforcement Is Performative
The CNDP — Morocco's data protection authority — was itself compromised in March 2025, one month before the CNSS breach. Law 09-08 imposes a maximum fine of MAD 300,000 (~EUR 28,000). For institutions managing the data of two million people, this is not a deterrent — it is a rounding error. DORA's penalty framework (up to 2% of global turnover, EUR 1M personal board liability) exists precisely because weak enforcement enables governance complacency.
Implications for Moroccan Banks
Morocco's banking sector — 19 banks, 5 participatory banks, 6 offshore banks under BAM supervision — faces a dual imperative:
1. BAM compliance is necessary but not sufficient. BAM directives cover governance, BCP, DR, outsourcing, and incident management. But they lack DORA's prescriptive incident reporting timelines (4h/72h/1 month), concentration risk quantification requirements, TLPT testing mandate, and structured information sharing framework.
2. Banks with EU subsidiaries face DORA directly. Attijariwafa Bank, Bank of Africa, and Banque Centrale Populaire all operate EU-licensed subsidiaries. Those subsidiaries are in-scope for DORA. European supervisors — ACPR, BaFin, DNB — are actively enforcing. The penalty framework is orders of magnitude larger than Law 09-08.
3. The 2025-2026 breach wave has raised the bar. Moroccan regulators, legislators, and public opinion now expect demonstrable cybersecurity governance — not procurement receipts. The CNSS case made "we invested in security" an insufficient answer. The question is now: "Where is the evidence that your investment works?"
Conclusion: Protection Versus Proof
The 2025-2026 Morocco cybersecurity crisis is not primarily a technology failure. It is a governance failure.
The institutions that were breached had security tools. They had budgets. They had contracts. What they lacked was the governance infrastructure to prove that those investments translated into actual resilience — tested plans, encrypted data, monitored third parties, auditable evidence, and corrective actions tracked to closure.
Cybersecurity protects. Governance proves.
In an era where regulators, boards, and citizens demand demonstrable resilience — not just declared intent — the difference between the two is the difference between compliance and credibility.
Sources
All claims in this article are sourced from publicly available reporting and official publications:
- France 24, "Au Maroc, les donnees de pres de deux millions de citoyens piratees dans une cyberattaque," April 10, 2025
- Medias24, "La cyberattaque contre la CNSS decryptee en 10 points cles," April 12, 2025
- Medias24, "Victime de hackers, la CNSS avait pourtant passe cinq marches de cybersecurite depuis un an," April 10, 2025
- Medias24, "Apres Jabaroot, un nouveau hacker revendique une cyberattaque contre la CNSS," September 9, 2025
- Resecurity, "Cybercriminals Attacked National Social Security Fund of Morocco," April 2025
- Euronews, "Hackers breach Morocco's social security database in unprecedented cyberattack," April 10, 2025
- SecurityAffairs, "National Social Security Fund of Morocco Suffers Data Breach," April 2025
- Jeune Afrique, "Au Maroc, une nouvelle cyberattaque cible le ministere de la Justice," June 2025
- Jeune Afrique, "Au Maroc, la cyberattaque devient une affaire d'Etat," April 2025
- CybelAngel, "Our Investigation of the ANCFCC Data Leak — Flash Report," June 2025
- Morocco World News, "Alleged Cyberattack on OFPPT Sparks Alarm Over 400,000 Leaked Student Records," April 2026
- Morocco World News, "Transparency Maroc: CNSS Data Breach Exposes Critical Flaws in Morocco's Cybersecurity," April 2025
- Morocco World News, "After Jabaroot Data Leaks, CNSS Allocates $4 Million for Cybersecurity," September 2025
- Yabiladi, "Morocco's CNSS: Security breaches since 2020, despite a 4.8 million dirham budget in 2024," April 2025
- APA News, "Maroc : une vague de cyberattaques cible les institutions publiques," March 2025
- Kaspersky telemetry via ecoactu.ma, "Cyber risques : pres de 21 millions de tentatives d'attaques detectees au Maroc au 1er semestre 2025"
- Bank Al-Maghrib, "Structure du systeme bancaire," bkam.ma (end 2024 data)
- CNDP, "Liste des infractions a la loi n09-08 et des sanctions prevues," cndp.ma
- DGSSI, "National Directive on Information System Security," dgssi.gov.ma
- DGSSI, "Decree No. 2-24-921 on the use of cloud service providers by entities and critical infrastructures," dgssi.gov.ma