At least 50 people linked to Mexico’s president, Andrés Manuel López Obrador – including his wife, children, aides and doctor – were included in a leaked list of numbers selected by government clients of the Israeli spyware company NSO Group before his election.
Politicians from every party, as well as journalists, lawyers, activists, prosecutors, diplomats, teachers, judges, doctors and academics, were also among more than 15,000 individuals selected as possible targets for surveillance between 2016 and 2017, according to an investigation by a collaboration of international media outlets including the Guardian.
The extraordinary number of Mexican numbers in the leaked data – including phones belonging to priests, victims of state-sponsored crimes and the children of high-profile figures – severely undermines NSO’s claims that its hacking software is only used by its clients to fight serious crime and terrorism.
Contracts with NSO would be likely to have cost hundreds of millions of dollars, in a country where about half the population lives in poverty.
“Mexico’s capacity to spy on its citizens is immense. [And] it’s extremely easy for the technology and the information obtained through the spyware to fall into private hands – be it organised crime or commercial,” said Jorge Rebolledo, a Mexico City security consultant. “What we know about is only the tip of the iceberg.”
The data leak is a list of more than 50,000 phone numbers that, since 2016, are believed to have been selected as belonging to people of interest by government clients of NSO Group.
While the leak indicates phone numbers that were targeted for potential surveillance by NSO’s Pegasus clients, it is not possible to say whether phones were successfully infected with the spyware without forensic analysis of each device. But technical analysis of more than 37 phones from around the world whose numbers were included in the data found evidence they were breached using Pegasus spyware.
The records cover a period towards the end of one of the most scandal-ridden Mexican administrations in recent history. At the time, the then president, Enrique Peña Nieto, and his Institutional Revolutionary party (PRI) were tanking in the polls.
The findings reflect warnings from security experts that cybersurveillance is unregulated and out of control in Mexico – a country where federal and state governments have long used informants, infiltrators and listening devices to monitor and repress dissent.
Mexico was the first country in the world to buy Pegasusfrom NSO and became something of a laboratory for the spy technology, which at the time was in its infancy.
The defence ministry was the first to acquire the spyware in 2011 – five years after the armed forces were deployed in the “war against drugs”. When the deal was made, Mexico’s police, army and navy had already been implicated in systematic human rights abuses including torture, enforced disappearances and extrajudicial killings.
Other Mexican agencies thatbought and/or operated Pegasus include the attorney general’s office and the national security intelligence service (Cisen). Several state security forces are also believed to have access to the spyware, and pervasive corruption has prompted concerns that it could end up in the wrong hands.
In 2012, Peña Nieto, a young, well-groomed politician touted as a reformer, beat López Obrador, the former mayor of Mexico City, to return the PRI to power after a 12-year hiatus.
Peña Nieto promised to take Mexico to its rightful place on the world stage. But a string of corruption scandals, human rights abuses and cover-ups soon tarnished his reputation. Meanwhile López Obrador, known as Amlo, was already planning another run for the presidency – and his party, the National Regeneration Movement (Morena), was gaining ground in local elections.
As Amlo crisscrossed the country campaigning, however, NSO’s Mexican clients selected almost everyone in his inner circle as persons of interest – including his wife, three sons, three brothers and two former chauffeurs, according to analysis of the leaked data. Amlo rarely used his own phone, relying instead on those of his assistant and communications chief – both of which were selected. His chief of staff, Alfonso Romo, his legal counsel, Julio Scherer Ibarra, and his communications coordinator, Jesús Ramírez Cuevas, were also selected.
Even the manager of the amateur baseball team Amlo plays in was selected – as was his cardiologist, Patricio Heriberto Ortíz Fernández.
Amlo had surgery in 2013 following a heart attack at the age of 60, after which his health became the subject of press speculation casting doubt over his ability to govern. “The only target was the candidate; I was a tool,” said Ortíz, who added that he never discussed Amlo’s health on the phone. “I think it’s very serious, but it was the way things were going on in the country. Unfortunately, I’m not surprised.”