The Office of Vocational Training and Job Promotion (OFPPT) confirmed on Tuesday a «cybersecurity incident» that allegedly exposed the personal data of nearly 100,000 young users. The breach, which occurred on April 12 affected the My Way platform, with data reportedly circulating on the dark web in a CSV file of approximately 19 MB. «The incident is contained and under close monitoring», the institution said in a statement received by Yabiladi.
The OFPPT stressed that the breach did not affect the rest of its information systems. The compromised accounts belonged to users who had accessed the platform to explore training opportunities and complete a professional interests test prior to registration. The platform requires users to create accounts and provide personal details such as names, phone numbers, ID numbers, and email addresses, without submitting supporting documents. The office added that some of the data may be incomplete or inaccurate, as it is self-reported.
The incident is currently under investigation by the OFPPT’s IT teams, in coordination with the relevant authorities and external experts. The institution also assured that no other components of its orientation system, such as training paths, professional projects, or grade records, were affected.
Preliminary findings point to the fraudulent use of a legitimate account, possibly compromised, rather than a direct breach of the system itself. Investigations are ongoing to determine the origin of the attack and assess its full impact before implementing corrective measures.
The OFPPT noted that the incident comes amid a broader context of rising cyber threats and recent data leaks targeting Moroccan institutions, including the CNSS and several government bodies. It added that, since February 2026, it has been implementing an emergency plan to address cybersecurity vulnerabilities, with reinforced measures such as data classification and data loss prevention (DLP) solutions.
The agency said it is stepping up vigilance and efforts to strengthen its security framework and ensure the protection of users’ personal data.
