Massive Personal Data Exposure on RENIEC’s Electoral Roll: The 2026 Peru Scandal and How to Protect Yourself
In a country where digital identity powers everything—from banking to voting—a catastrophic security failure at Peru’s National Registry of Identification and Civil Status (RENIEC) has put millions of citizens at risk. The public portal https://sisbi.reniec.gob.pe/PLPI intended for consulting the Initial Electoral Roll (LPI) for the 2026 General Elections—allowed unrestricted access to highly sensitive data: full names, national IDs (DNI), home addresses, photos, signatures, and voting details. As of today, the site is offline, but the breach is irreversible. This isn’t just a glitch—it’s a national-scale data exposure that undermines trust in Peru’s electoral process.
As a cybersecurity expert who has conducted audits for Peruvian universities and corporations, I’ve seen how poor access controls lead to identity theft, fraud, and extortion. Drawing from recent journalistic reports, official statements, and technical analysis, this article breaks down what happened, why it matters, and—most importantly—what you must do now.
The Breach: What Went Wrong at RENIEC?
The LPI was published on October 27, 2025, to allow citizens to verify their voter registration until October 31. It includes over 27 million registered voters, with personal details such as:
- Full name
- DNI number
- Home address (street, district, province)
- Photo
- Signature
- Voting table and location
To query the system, users only needed to enter a DNI and its check digit—no CAPTCHA, no OTP, no two-factor authentication.
Timeline of Events:
| Date | Event |
|---|---|
| Oct 27 | LPI goes live on sisbi.reniec.gob.pe/PLPI |
| Oct 27–28 | Social media erupts: users discover that entering one DNI reveals nearby records (family, neighbors) with full addresses and photos |
| Oct 28 | Hundreds of complaints flood X (Twitter), Facebook, and TikTok |
| Oct 29 | Site taken offline. RENIEC issues statement calling the exposure “legal and mandatory” under Election Law N° 26859 |
| Oct 29 | Defensoría del Pueblo demands urgent data protection measures |
Critical flaw: The system lacked rate limiting and authentication, enabling automated scraping. A simple script could extract thousands of records per minute.
Why This Is a Disaster: Real-World Risks
This isn’t theoretical. In Peru, where cybercrime rose 30% year-over-year (PNP 2025 report), exposed data becomes weaponized:
| Risk | How It Works | Real Impact |
|---|---|---|
| Identity Theft | Criminals use DNI + photo + signature to forge documents | Fake loans, tax filings, or government benefits |
| Doxing & Extortion | Full home addresses enable physical threats | “Pay or we visit your house” scams |
| Dark Web Sales | Databases sold for S/50–200 per 1,000 records | Used in phishing, ransomware, or SIM swapping |
| Electoral Manipulation | Geolocated voter data targets swing districts | Fake voter challenges or intimidation |
| Mass Phishing | Personalized SMS/email attacks using real names & addresses | 80% success rate in smishing campaigns |
Precedent: After the 2023 MEF data leak, over 5,000 fraud cases were reported in 6 months. This RENIEC breach is 5x larger.
RENIEC’s Response: Transparency or Negligence?
RENIEC defends the publication as legally required for electoral transparency. But critics—including the Defensoría del Pueblo and digital rights expert Erick Iriarte—argue:
- Legal obligation ≠ zero security The Organic Election Law mandates public access, not unprotected exposure.
- No anonymization: Addresses and photos could have been masked or require in-person verification.
- No breach notification: Millions affected, zero official alerts.
Legal consequences: Possible fines up to 100 UIT (S/515,000) under Peru’s Data Protection Law (N° 29733). Political calls for the resignation of RENIEC President Carmen Velarde Koechlin.
Technical Breakdown: How the System Failed
From a sysadmin’s view, this was preventable:
GET /PLPI/consulta?dni=12345678&dv=9 HTTP/1.1
Host: sisbi.reniec.gob.pe
→ Returns JSON with full record + related entriesVulnerabilities:
- No rate limiting → bots could query 1,000+ DNIs/min
- No authentication → public endpoint
- No data minimization → full PII exposed
- No logging/monitoring → no trace of mass scraping
This is a classic Insecure Direct Object Reference (IDOR) + Missing Access Controls flaw (OWASP Top 10).
Protect Yourself NOW: 5-Step Emergency Plan
Don’t wait for RENIEC. Act today:
1. Freeze Your Credit & Alert Banks
- Contact SBS (www.sbs.gob.pe) to flag your DNI
- Set daily limits on Yape, Plin, and bank apps
2. Change All Sensitive Passwords
# Generate strong passwords
openssl rand -base64 32Update:
- Online banking
- RENIEC virtual PIN
- SUNAT, ONPE, Essalud
3. Monitor for Identity Theft
- Add your email/DNI to Have I Been Pwned? (haveibeenpwned.com)
- Set Google Alerts for your full name + DNI
- Use credit monitoring (if available via your bank)
4. File Complaints
- Indecopi: www.indecopi.gob.pe → Data protection violation
- Autoridad Nacional de Protección de Datos Personales (ANPD)
- Join class-action efforts (lawyers already organizing)
5. Secure Your Devices
| Tool | Purpose |
|---|---|
| Bitwarden | Password manager with breach alerts |
| Malwarebytes Mobile | Scan for phishing apps |
| ExpressVPN / NordVPN | Hide IP on public Wi-Fi |
Lessons for Peru’s Digital Future
This breach exposes a systemic failure in public-sector cybersecurity:
RENIEC must implement:
- Biometric login for sensitive queries
- Anonymized public views (hide addresses/photos)
- Annual third-party audits (e.g., Deloitte, PwC Perú)
- Real-time scraping detection
With elections in 2026, trust is fragile. One more breach could delegitimize the entire process.
“Transparency without security is recklessness.” — A Peruvian cybersecurity wake-up call.
Was your data exposed? Need a security audit? I offer data breach assessments, secure API design, and employee training (in English/Spanish). Based in Piura, available nationwide.
Contact: joselinkin@gmail.com | +51 991 974 415
Your identity is your most valuable asset. Protect it.
Jose Rodríguez is a Systems Engineer and Cybersecurity Specialist with a Master’s in Information Security (Universidad de La Rioja). He secures digital platforms at Universidad de Piura and consults on data protection across Peru. Read more at joseramiro.lat.