Mandatory Registration of Mobile Lines in Mexico
As of January 9, 2026, the Mexican Telecommunications Regulatory Commission has mandated that all mobile lines within the country must be associated with a verified identity. This regulation marks a significant shift from the previous system where SIM cards could be purchased anonymously, an arrangement that has now become a tool for scams and identity theft.
The Alleged Security Breach at Telcel
Less than 24 hours after this mandatory registration took effect, Telcel, one of Mexico’s largest telecommunications operators, reportedly experienced a severe security vulnerability. Journalist Ignacio Gómez Villaseñor highlighted that the official Telcel portal allowed access to personal information, such as customer identity, CURP (Unique Population Registry Key), RFC (Federal Taxpayer Registry), and email, without requiring passwords or verification codes.
“This is extremely dangerous. Any cybercriminal could use Telcel’s database to automate the massive extraction of information.” – Ignacio Gómez Villaseñor
Reports indicate that for a short period, malicious actors could exploit this vulnerability to access confidential data through the official portal.
Telcel’s Response and Ambiguities
The revelation of the breach prompted Telcel to issue a statement urging calm among its customers. Their declaration lacked clarity, neither confirming nor outright denying the existence of the security issue.
“Your data is secure. We have implemented additional security measures to protect your information.” – Telcel
Despite the assurances, Telcel acknowledged that it had reinforced security protocols during the registration process.
Admission of a Technical Vulnerability
Hours after the initial reports, Renato Flores, the deputy director of communications at Telcel, admitted on a national radio station that a technical vulnerability had indeed been detected. He claimed that the company acted quickly and responsibly to rectify the situation.
“Telcel acted quickly, responsibly, and transparently. We detected a vulnerability, corrected it immediately, and reinforced security.” – Renato Flores
However, this assertion was contradicted by Gómez Villaseñor, who demonstrated in a video how he could access personal user data, further fueling public concern.
Risks Involved
The exposed data reportedly included:
- Owner identity
- CURP (Unique Population Registry Key)
- RFC (Federal Taxpayer Registry)
This incident conjures comparisons to previous breaches, such as the Endesa hack in Spain, suggesting that attackers may have obtained a wealth of sensitive data.
Challenges Faced During Registration
As the mandatory registration process began, the Telecommunications Regulatory Commission (CRT) noted certain “intermittencies” across various platforms due to high user volume. However, they refrained from addressing the Telcel situation directly.
What Comes Next?
While there have been no reports of data exploitation as yet, the potential for abuse remains. Customers are advised to exercise extreme caution and avoid sharing personal data via SMS, calls, or emails unless they can verify the communication source.
As this scenario unfolds, it serves as a stark reminder of the necessity for robust cybersecurity measures in today’s digital landscape. Users must remain vigilant amidst evolving threats.

