AAIP Investigates Alleged Massive Data Breach

On December 19, 2025, the Agency of Access to Public Information (AAIP), the enforcement authority of the Personal Data Protection Law 25,326, started an ex officio investigation of a potential massive personal data breach affecting Argentine citizens.

Although the AAIP reported that, to date, it has not received formal notifications of a security incident within the terms established in the applicable regulations, the investigation was triggered by information that circulates publicly. Accordingly, the AAIP deemed it appropriate to exercise its oversight powers and initiate the corresponding proceedings, submitting inquiries to the public entities and private institutions allegedly involved.

The investigation, which is confidential, aims to identify the data controllers responsible for the compromised personal data, the databases involved, verify the existence and characteristics of the incident, and assess the technical and organizational measures implemented to ensure the security and confidentiality of personal data. The AAIP also requested information from federal public entities with competence in cybersecurity matters to confirm whether security incidents had been registered in connection with the potentially affected institutions.

The AAIP’s ex officio actions demonstrate that the absence of prior notification of an alleged security incident is not an obstacle for the supervisory authority to intervene, and that implementing appropriate and duly documented security measures is part of the requirements of the personal data protection regime applicable to both public and private database controllers.