The combined sources present a critical analysis of the October 2025 cybersecurity incident impacting Uruguay’s Plataforma GURI, the education system's central data repository for millions of citizens, including minors. Security analysts confirm this incident is part of a systemic cyber campaign targeting the Uruguayan public sector, concurrent with breaches against the state bank (BHU) and the Ceibal education program. The central governance failure identified is the official refusal by ANEP to confirm or deny claims by groups like Tacuara, who alleged the theft of nearly 3 million sensitive PII records, thereby eroding public trust and exposing families to identity fraud risks. Legally, critics argue that the confirmed security failure violates the essential Principle of Security mandated under Uruguayan law, thereby undermining ANEP’s legal justification for processing sensitive data, particularly as it pertains to the integration of student academic and Ministry of Public Health records. The GURI platform’s failure also highlighted systemic weaknesses, including a lack of Multi-Factor Authentication and poor network segmentation, which allowed threat actors to achieve unauthorized access. The sources unanimously recommend immediate mandatory disclosure and the enforcement of foundational security controls to address these deep-seated vulnerabilities.