MongoDB configuration error exposed 93 million Mexican voter records

According to Mexican law, it's illegal to use voter records for personal gain

mexican election vote

A woman casts her ballot at a polling station during mid-term elections in Mexico City, June 7, 2015.

Credit: REUTERS/Edgard Garrido

A 132 GB database, containing the personal information on 93.4 million Mexican voters has finally been taken offline. The database sat exposed to the public for at least eight days after its discovery by researcher Chris Vickery, but originally went public in September 2015.

Vickery, who works as a security researcher at Kromtech (the company behind MacKeeper), discovered the MongoDB instance on April 14, but had difficulty tracking down the person or company responsible for placing the voter data on Amazon's AWS. He first reached out to the U.S. State Department, as well as the Mexican Embassy, but had little success.

mexican voter record

The database contains all of the information that Mexican citizens need for their government-issued photo IDs that enable them to vote. Along with their municipality, and district information, the database records include the voter's name, address, voter ID number, date of birth, the names of their parents, occupation, and more.

Eventually, after a speaking engagement at Harvard University’s Center for Government and International Studies, Vickery was able to reach someone the Mexican Instituto Nacional Electoral (INE). The database was pulled offline earlier this morning.

Given that the database has been online since September 2015, it isn't clear how many people have accessed the records. Additionally, the actual owner of the account hosting the data remains unknown.

Mexico has strict laws regarding the usage and access of voter information, and the last time such records were in the hands of a company in the U.S., it became an international incident.

"Under Mexican law this data is strictly confidential, carrying a penalty of up to 12 years in prison for transfer or extraction for personal gain. The Mexican Elections Commissioner has confirmed that the database is authentic. The data is now secured but the real question is who else had access to this sensitive information, and who put it on a US-based Amazon cloud server?" Vickery said in a brief statement.

In 2003, data broker ChoicePoint said they were commissioned by the U.S. government to obtain more than 65 million records on registered Mexican voters, and six million drivers in Mexico City.

Last December, in a discovery that mirrors this recent one completely, Vickery discovered a database with 191 million U.S. voter records, followed a short time later by a database housing targeted voting data on 18 million U.S. voters.

In both cases, Vickery worked with Salted Hash and Databreaches.net on the story.

To comment on this article and other CSO content, visit our Facebook page or our Twitter stream.
Insider: Hacking the elections: myths and realities
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.