Personal info of 93.4 million Mexicans exposed on Amazon (UPDATED)

In today’s installment of “Epic Infosecurity #FAIL,” more than 93.4 million Mexican citizens have had their voter registration details exposed online due to a misconfigured database. Why a database with Mexican voters’ information was hosted on a server outside of Mexico, who uploaded it to Amazon, and why it wasn’t properly secured are questions in search of answers.

Last week, MacKeeper Security Researcher Chris Vickery contacted DataBreaches.net to report that he had discovered yet another misconfigured MongoDB database. This one, 132 GB in size, appeared to contain voter registration data from 93,424,710 Mexican citizens.

Vickery, who has blogged about this incident on the MacKeeper blog, provided this site with a redacted screen cap of an individual’s record:

The record contains the individual’s name, complete address, date of birth, mother’s and father’s last names, occupation, and their unique voting credential code (number/identifier). Mexico currently recognizes two types of voter cards. One contains OCR numbers; the other contains a different type of formatted identifier. This database, labeled “padron2015,” appears to contain OCR numbers. No pictures or financial information was included in the database.

Although there was no information included in the leaky database that could point us to its owner or who had uploaded it to Amazon cloud services, the data appeared to be voter registration data compiled by the Instituto Nacional Electoral (INE).

After some discussion as to whom to notify and how, Chris decided to report his discovery to the State Department and let them contact their Mexican counterparts in the spirit of cooperation. When he got no meaningful response, he reached out to the State Department’s Office of Mexican Affairs, who told him they would forward his alert up the chain. When that still didn’t achieve the desired results of getting the database secured, Chris contacted the U.S. Secret Service, Department of Homeland Security, and US-CERT. He also contacted the Mexican embassy directly:

After I explained the situation over the phone, they wanted proof of the breach and gave me an email address to send it to. I sent them an explanation with the IP address and two screenshots as evidence. The embassy has never even responded to that email.

(First lesson to be learned by INE: provide an easy-to-find email address on your web site for people to report security breaches.)

As fate would have it, though, Chris was speaking up at Harvard about his research and mentioned the leak. A student from Mexico verified the accuracy of his father’s record, and a faculty member tried to assist Chris with the notification problem by giving him other individuals to contact. Chris eventually heard back from someone from the Instituto Federal Electoral, (IFE/INE), who thanked Chris and who said they would get right on getting it secured. Of note, the coordinator said that the IP address was not theirs and he was investigating to see who was responsible for the database being on that IP address. In a subsequent communication to DataBreaches.net, the coordinator reported that the numbers in the database did not match national historic numbers, and that had become part of their investigation, too.

The database has now been secured.

Publication of this post was delayed until now at the request of the Mexican government to give them time to investigate and to secure the database.

The Risk to Mexican Citizens

This is not the first time voter registration information of Mexican citizens has been leaked or otherwise compromised. In what became an international incident in 2003, Latin American countries learned that ChoicePoint was buying – and selling – information on citizens of their countries. And in discussing this incident with Héctor Guzmán, Partner at BGBG Abogados (Data Protection & Privacy practice), DataBreaches.net learned that Mexico has had other leaks involving voter information. Guzmán pointed DataBreaches.net to a previous breach in 2010 that also contained extensive data, all of which were up for sale. And in May, 2012, there was another investigation by the Mexican government concerning an entire electoral roll that had been found for sale. A November, 2013 article on Global Voices also noted data up for sale on buscardatos.com.

DataBreaches.net has no indication that the current leak is associated with any attempt to sell the data, but given that 2015 data has now been found exposed in 2016, the Mexican government may wish to review their protections, because as Guzmán explains, the risk is huge:

Mexico is (still) dealing with security issues in many parts of its territory. So even when this “padron” is not a completely reliable source of the place where citizens actually live, most of the time the address contained in the padron coincides with their real address. Then, if you have access to this database, you will know exactly where they live. That and the fact that this information may provide information to companies that otherwise might have need to spend a lot of time and money to get this kind of data.

“This incident clearly erodes the confidence of citizens in a lot of government bodies. Some citizens might decide to never provide their data again to the INE, the next time their ID expires,” Guzmán adds, noting that although it’s a relief that financial and bank information were not leaked, “the information could still be used for criminal purposes since the location of citizens are available.”

Mexico’s data protection laws do not require the government to notify individuals of this incident.

Entire Countries Breached

With this leak, Mexico now joins a list of countries where almost the entire population has had their personal information leaked or breached, as 93.4 million represents over 72% of Mexico’s estimated population. Belize, Greece, Israel, Philippines, and Turkey have also experienced leaks of the majority of their population’s personal information. And of course, let’s not forget that Chris Vickery had also discovered 191 million U.S. voters‘ data leaking due to a similarly misconfigured database.

Update 1: Dell Cameron has some great coverage over on Daily Dot as to the frustration Chris Vickery experienced with Amazon when he tried to get them to take the database down. Una versión en Español de este articulo esta disponible aquí.

Update 2: It looks like INE responded publicly and has filed a complaint (?) against whoever is responsible, but it’s not clear to me (translation issues) if they know who is responsible. See tweets today by @INEMexico. I am still trying to get a statement and some answers from INE.

Va infografía sobre acciones de @INEMexico contra uso indebido de lista nominal pic.twitter.com/FrC6SCsIWM — Ciro Murayama (@CiroMurayamaINE) April 22, 2016

Update 3: It seems that the INE has identified the source of the leaking database but isn’t announcing it yet. And from the article, it sounds like copies provided to political parties – who are entitled to get the copies – are somehow electronically watermarked, which enabled the INE to trace the database back to its owner.

Curiously, they are saying the February 2015 database had 81 million voters, although the database Chris Vickery found shows over 93 million records. Perhaps there are some duplicates in there?

Update 4: I received a response from INE, which I’ve posted in a new post. Yes, there were duplicates in the database.

Update 5: See also Mexico launches criminal probe into exposure of voter information.

Update 6: Chris Vickery informs me that the Mexican embassy in Washington D.C. called him over the weekend to apologize for not responding to his first email alert. It seems it went to their spam folder and was deleted. How do you say, “Oi veh” in Spanish?

Update 7 (Apr. 27): A reader kindly informed me that Movimiento Ciudadano, one of the political parties that had legitimate access to Mexico’s voter data list, has admitted it was their copy of the voter’s list. See my post my about their outrageous attempt to blame the researcher, here.

Update 8 (Apr. 28) See my latest follow-up story here about the political party misleading the Mexican people and how Amazon did not tell them they were “hacked.”