On 22 April 2025, Morocco’s CNSS (Caisse Nationale de Sécurité Sociale) is set to open bids for a public tender aimed at acquiring a Data Loss Prevention (DLP) system. At face value, this sounds like a rational step forward—after all, the organisation has just suffered one of the most serious data breaches in the country’s history.
But let’s be clear: the timing and scope of this tender raise serious questions.
What Happened
CNSS was recently hit by a cyberattack that resulted in the leak of thousands of sensitive documents. These include personal, financial, and possibly medical data tied to Moroccan citizens. The documents are still circulating across Telegram groups and other unmoderated platforms. According to CNSS, some of the leaked documents are fake or edited—but that doesn’t change the fact that large volumes of internal data have left their servers.
So Why the DLP Now?
DLP solutions are designed to prevent sensitive data from being exfiltrated or mishandled. They monitor data flows, enforce rules, and alert admins when confidential data is at risk of exposure. That’s useful—but only when deployed before the breach.
So what does a DLP do after data has already leaked?
Not much.
This tender feels like a reactive move—one that’s more about optics than effectiveness. CNSS is trying to show that it’s doing something, that steps are being taken, and that corrective action is underway. But in truth, a standalone DLP deployment at this stage won’t change the current situation.
What’s Missing
Here’s what we’re not seeing in this response:
Incident response transparency: There’s been no detailed postmortem from CNSS. No technical explanation, no accountability, no public-facing security roadmap.
Containment efforts: Leaked data is still being shared freely. There’s been no legal push, no takedown requests, no coordination with platforms to limit distribution.
Comprehensive security upgrade: The tender only covers DLP. There’s no mention of threat detection, SIEM, MFA hardening, endpoint monitoring, or staff training.
Emergency procurement: Despite the urgency, the tender is following normal procurement procedures. That slows down deployment and signals a lack of urgency.
What Should Be Happening Instead
If CNSS is serious about rebuilding trust and securing its infrastructure, here’s what needs to be on the table:
Immediate legal and technical containment: Collaborate with cybercrime units, file takedown requests, and work with platforms to disrupt data sharing.
Third-party audit: Get independent experts to assess what happened, what was affected, and what needs to change.
Security overhaul: Roll out a layered approach—identity management, access control, SIEM, endpoint detection, and yes, DLP, but not in isolation.
Public communication: Admit what’s known, acknowledge what isn’t, and clearly state what will change going forward.
What we think
You can’t stop a leak after it’s already flooded out. A DLP tool now won’t retrieve the files circulating online. It won’t patch the trust deficit CNSS is now facing. And it won’t be enough to reassure a public that just saw their personal data go viral.
This tender might check a box, but it doesn’t fix the breach.
