Brinztech Alert: 18 Million Records of DIAN Appointment Platform on Sale

Dark Web News Analysis

Cybersecurity intelligence from March 6, 2026, has identified a high-priority listing involving the AGENDAMIENTO.DIAN.GOV.CO portal. The threat actor claims the breach was made possible by exploiting a “known vulnerability” in the scheduling software developed by the third-party vendor Cielingenieria.

The dataset is being offered as a premium commodity on major underground forums. The exfiltrated data reportedly includes:

• Personally Identifiable Information (PII): Full names and unique citizen identifiers (Cédula de Ciudadanía and NIT).
• Communication Metadata: Approximately 18 million unique email addresses and verified mobile phone numbers used for booking tax appointments.
• Technical Format: The data is provided in CSV format, allowing malicious actors to easily ingest the records into automated phishing and “brute-force” tools.
• Verification: The actor has released a “proof-of-concept” sample containing 1 million rows, confirming the authenticity of the records.

Key Cybersecurity Insights

The breach of a national tax authority’s auxiliary platform represents a “Tier 1” strategic threat, as it compromises the “Trust Link” between the state and its citizens:

• Industrialized “Tax Refund” and “Fine” Phishing: This is the most severe risk. Armed with accurate National IDs and appointment history, scammers can launch lures that are 100% convincing. A citizen is significantly more likely to trust a notification regarding “urgent tax documentation” if the message correctly identifies their specific NIT.
• Third-Party Supply Chain Failure: The mention of Cielingenieria highlights a critical vulnerability in the government’s supply chain. Similar to the 2023 IFX Networks attack, this incident proves that even if the core DIAN systems are secure, a weakness in a smaller vendor’s platform (e.g., via an unpatched SQL Injection or broken access control) can expose the entire national registry.
• Identity Cloning and Financial Fraud: In Colombia, the NIT/Cédula paired with a phone number is the primary key for opening bank accounts and obtaining credit. This leak provides a “Golden Record” for identity thieves to bypass security checks on private financial platforms.
• Psychological Operations: Large-scale leaks of government data are often used to undermine public confidence in digital governance. This follows a 2026 trend in Latin America where “Hack and Leak” operations target public institutions to incite civil distrust.

Mitigation Strategies

To protect your digital identity and ensure financial security following this exposure, the following strategies are urgently recommended:

• Immediate Shift to “App-Based” MFA for All Portals: If you use your ID number and a simple password for the DIAN portal or your bank, enable Multi-Factor Authentication (MFA) immediately. CRITICAL: Use an authenticator app (e.g., Google Authenticator) rather than SMS-based codes, which can be intercepted using leaked phone numbers.
• Enforce Hardware-Based MFA for High-Value Accounts: Move beyond passwords. Implement Physical Security Keys to ensure that even if an attacker has your leaked ID and email, they cannot hijack your digital life.
• Zero Trust for “Official” Communications: Treat any unsolicited email or WhatsApp message claiming to be from “DIAN Support” or “Cielingenieria” with extreme caution. Always verify the request by navigating directly to the official dian.gov.co portal—never click a link in an unexpected message.
• Monitor “Cuentas por Pagar” and Credit Activity: Closely monitor your bank statements and the “Mis Consultas” section of the DIAN portal for any unauthorized appointments or tax filings made in your name.

Secure Your Future with Brinztech — Global Cybersecurity Solutions

From national tax authorities and government agencies to global enterprise groups, Brinztech provides the strategic oversight necessary to defend against evolving digital threats. We offer expert consultancy to audit your current IT policies and GRC frameworks, identifying critical vulnerabilities in your third-party vendor integrations and citizen registries before they can be exploited. Whether you are protecting a national user base or a private corporate network, we ensure your security posture translates into lasting technical resilience—keeping your digital footprint secure, your citizens’ data private, and your future protected.

Questions or Feedback? For expert advice, use our ‘Ask an Analyst’ feature. Brinztech does not warrant the validity of external claims. For general inquiries or to report this post, please email us: contact@brinztech.com