A database containing the personal information of more than 93 million Mexican voters became public last week, but it was only through the determined efforts of a security researcher that it was taken down this morning.
Chris Vickery of MacKeeper, a security research center, found the database on an Amazon cloud server on April 14. It was publicly accessible and had no password protection.
It contained the names of Mexican citizens, their full addresses, dates of birth, mothers’ and fathers’ names, occupations and names of their parents, information regarded by Mexican authorities as “strictly confidential.”
Yet someone had moved the data out of Mexico and into the U.S., said Vickery on his blog, describing it as “a massive breach of Mexican voter data.”
Vickery said he reported the breach to the U.S. State Department, expecting it would pass the information on to its Mexican counterparts. But the database remained online.
He contacted the U.S. Secret Service, the Department of Homeland Security, the U.S. Computer Emergency Readiness Team and the Mexican embassy. He explained the situation to an official at the embassy and followed up with information, including a screenshot of the database information, by email.
Vickery heard nothing back, and the voter information remained online and accessible.
In the end it was either by dealing directly with Amazon through its abuse reporting system or a chance encounter with a Mexican student that resulted in the database being taken down.
Vickery was giving a talk at Harvard University, primarily on data breeches, and spoke of his latest discovery. A Mexican student who was present was able to confirm the accuracy of at least one record: that of his father.
A Harvard faculty member gave Vickery names of people to contact and he eventually heard from an official with Mexico’s National Electoral Institute, who thanked him for the information and indicated they were working on getting the database secured.
At Amazon, Vickery found the abuse reporting system difficult to navigate and eventually had to plead with the company to have the database taken offline.
Vickery said he believed the leak had life-threatening implications, and told Amazon so.
“The existence of this database is, itself, a violation of federal Mexican law. The server is, at this very moment, allowing the public to copy 93.4 million voter registration records. Under Mexican law, these records are ‘strictly confidential,’” he wrote.
“People’s lives are at stake here. Kidnapping is a considerable problem in Mexico. Right now one of your servers is handing out the home addresses of 93.4 million Mexicans. Is Amazon seriously not willing to do anything about this?”
Vickery said the database was taken down early this morning after he received an email in which Amazon apologized.
“I’m not sure if it was my abuse report that finally got it taken down or if the Mexican INE got to Amazon,” said Vickery, “but one of us made the difference.”
DataBreaches.net, a blog operated by a privacy advocate, reported this morning that it was not the first time Mexican voter information has been leaked or compromised. In at least three cases voter registration information was being offered for sale.
A lawyer with BGBG Abogados, which specializes in data protection and privacy, said the breach represents a big risk, particularly because of security issues in many parts of Mexico.
It also erodes public confidence in government bodies, said Héctor Guzmán, warning that voters may not wish to provide their data again to the INE.
The database contained no financial information, or photos.
But the data could still be used for criminal purposes because it gave the addresses of citizens, he said.
The INE said today it had filed a criminal complaint before the Special Prosecutor for Electoral Crimes, or Fepade, in connection with the data breach.
It also said there was no indication that there had been a breach in voters’ list security systems or intrusions into the INE database.