News
Delgado addresses a press conference yesterday. Delgado addresses a press conference yesterday.

Researcher accused of hacking voters’ list

But evidence shows Citizens Movement party neglected to secure database

The political party responsible for storing an unprotected copy of the Mexican voters’ list on a cloud server claimed yesterday the list had been hacked, and pointed the finger at the security researcher who discovered the database on April 14.

The Citizens Movement (CM) party claims that the database containing personal information of 87 million Mexican citizens had not been publicly accessible, and had to have been hacked by someone with specialized knowledge of security protocols.

That hacker, said CM national coordinator Dante Delgado, was Chris Vickery, the researcher who notified both Amazon Web Services (AWS), where the information was hosted, and the National Electoral Institute (INE).

Delgado claimed that Amazon notified the party on April 22 of a cyberattack, at which point he ordered removal of the data.

But Amazon has denied there was an attack. The company’s public relations manager for Mexico, Julio Gil, said the database had been stored in an insecure manner on the cloud server. It had no password protection and was publicly visible online.

Delgado said his party had contracted with the technology firm Indatcom to arrange storage of the database on a secure server at Amazon to avoid a repeat of a leak three years ago, and denied it had been sold or commercialized.

If the party were to be accused of selling the information, it wouldn’t be the first time.

The INE fined it 76 million pesos (US $4.4 million) in February for the 2013 leak, when data turned up on a site called buscardatos.com, which sells personal information.

It wasn’t clear why the Citizens Movement thought it necessary to use an Internet server. Contacted this week by the newspaper Milenio, the Institutional Revolutionary Party and the National Action Party said they keep copies of the voters’ list on their own, private servers with strict limits on access.

Delgado said his party was filing a criminal complaint against Vickery, despite the fact he put considerable effort in attempting to have the database secured.

Delgado’s claim that Amazon said its server had been hacked earned a strong rebuke today from a blog devoted to security issues.

“Movimiento Ciudadano [Citizens Movement in Spanish] is either incredibly ignorant or liars. Amazon told them no such thing,” said DataBreaches.net, which also published a statement issued yesterday by Amazon after Vickery inquired about what it had told the Citizens Movement party.

“All AWS security features and networks did, and continue to, operate as designed,” Vickery was advised. “Once AWS was notified that an unsecured database containing sensitive information was being hosted on the AWS Cloud and was publicly accessible via the Internet, we followed our standard security protocols and have since confirmed that this database is no longer publicly accessible.”

DataBreaches.net said the party should reveal the database access logs, which would show that Vickery wasn’t the only one to access the files. At least six IP addresses had accessed it, said the security blog.

Source: Excélsior (sp), Milenio (sp), DataBreaches.net (en)

Reader forum