A hacker spent a month using Claude to attack the Mexican government. 195 million taxpayer records. Voter data. Government credentials. The AI refused at first — then it didn't. Here's what that means for how enterprises should be thinking about AI security.
Last week, Bloomberg reported that a hacker had used Anthropic’s Claude to carry out a sustained attack on multiple Mexican government agencies over the course of a month. The haul was significant: 150 gigabytes of data, including 195 million taxpayer records, voter registration files, government employee credentials, and civil registry data. The targets included Mexico’s federal tax authority, the national electoral institute, and four state governments.
According to Gambit Security, the cybersecurity firm that investigated the incident, Claude produced “thousands of detailed reports that included ready-to-execute plans, telling the human operator exactly which internal targets to attack next and what credentials to use.” When Claude couldn’t be persuaded to help with a particular step, the hacker switched to ChatGPT. Neither the attack nor the attacker required exceptional sophistication — what it required was persistence, and the patience to keep asking until the guardrail gave way.
Anthropic has since banned the accounts involved and investigated the incident. Their latest model, they say, includes improved tools to detect and disrupt this kind of misuse. That response is reasonable. It is also, structurally, beside the point.
Content moderation policies applied to a public AI are not a security control. They are a friction layer — one that slows down unsophisticated or casual misuse, but offers no reliable protection against a motivated attacker with time and determination. The Mexico hacker did not discover a zero-day vulnerability in Claude’s safety systems. They applied the oldest technique in social engineering: keep asking, try different framings, and wait.
This isn’t a critique of Anthropic’s guardrail engineering. Their researchers are serious and their safety work is genuine. The problem is categorical: any system where an attacker can interact directly with the AI, probe its limits, and iterate on their approach is a system where the AI’s content policy is the primary defence. That is not a design you can make secure by improving the policy. It is a design where the attacker’s patience is the only limiting factor.
The same logic applies to every major public AI platform. OpenAI, Google, Mistral — all of them have guardrails, and all of those guardrails have been bypassed, repeatedly, by people with enough time and motivation to find the path through. The Mexico incident is the clearest illustration yet of what that looks like at scale: not a sophisticated nation-state exploit, not a zero-day, just a determined individual using a consumer product to exfiltrate the records of an entire country.
What the Mexico story illustrates is not a new vulnerability — it is the application of new capabilities to an existing and well-understood threat environment.
In April 2025, UK retailer Marks & Spencer was hit by a ransomware attack carried out by the DragonForce criminal group. Online orders were suspended. Contactless payments went down. The company’s market capitalisation dropped by £1 billion in the days that followed. Customer data was exfiltrated. The entry point was a third-party vendor compromise — not dramatic, not exotic, just a patient attacker finding the weakest link in a large and complex supply chain.
DragonForce did not use AI to carry out that attack. The Mexico hacker did. That is the change. The threat actors who already existed — criminal organisations, state-sponsored groups, persistent individual operators — now have access to the same frontier AI capabilities that are being marketed to enterprises as productivity tools. The attack surface is the same. The capability available to the person on the other side of it has grown substantially.
Gambit Security suggested the Mexico attacker may have been tied to a foreign government. That attribution remains uncertain. What is certain is that the attack was methodical, sustained over weeks, and productive — and that it was carried out with tools available to anyone with a subscription and enough persistence to find the gaps.
Here is the structural argument that the Mexico incident makes clearly: if your sensitive data never passes through a public AI platform, it cannot be exfiltrated by someone who jailbroke that platform.
The guardrail conversation is only relevant because the data and the AI are on the same side of a boundary that an attacker can reach. The hacker in Mexico could direct Claude to find credentials and attack internal systems because the AI was processing information about those systems — information that had been shared with it by legitimate users, or extracted from network responses, or otherwise made available in the course of its operation. The attack worked because the data was accessible to a system the attacker could interact with.
An AI that runs entirely within your own infrastructure — on hardware you control, on a network that does not route to a public API — removes that attack surface at the architectural level. There is no prompt that bypasses a guardrail that doesn’t exist. There is no exfiltration path through a service you are not using. The AI system becomes irrelevant to this category of attack, not because its safety systems are better, but because the data never crosses the boundary the attacker would need to reach.
This is what on-premises private AI deployment actually means in security terms. Not “we have strong data processing agreements.” Not “we use zero-retention APIs.” Not “our latest model has improved guardrails.” It means the interaction between your data and the AI model happens inside your network, under your control, with no third party in the loop and no public service for an attacker to probe.
The SRA’s guidance on AI tools asks solicitors to undertake due diligence on whether third-party platforms are consistent with their professional obligations. The Mexico incident suggests that question deserves a more searching answer than most organisations have yet given it. The threat actors are patient. The guardrails are imperfect. And 195 million records is a very concrete illustration of what imperfect looks like in practice.
JD Fortress AI deploys secure, on-premises AI for businesses across regulated sectors in the UK. If you’re reviewing your AI security posture in light of recent incidents, get in touch — no pitch, just a practical conversation.
If you're thinking about secure AI for your business, we'd love to have a conversation.
Get in Touch →