Personal info of all 94.3 million Mexican voters publicly exposed on Amazon

On April 14, MacKeeper security researcher Chris Vickery discovered another misconfigured MongoDB, but this time the database contained the full names, addresses, birth dates and voter registration numbers for every Mexican voter.

The database containing personal information on 93.4 million Mexican voters was hosted on an Amazon cloud server with “no password or any authentication of any sort” to protect it. And it has been publicly accessible since September 2015, according to Salted Hash’s Steve Ragan, although it is unknown how many people besides Vickery accessed the records.

It took eight days of reporting the massive breach to a plethora of agencies before Vickery could get anyone to listen and take it down. The 132 GB database contained voter registration data on 93,424,710 Mexican citizens; Vickery posted a redacted screenshot of the information it contained on each citizen.

As was explained on the Office of Inadequate Security, the database included “name, data of birth, mother’s and father’s last names, occupation, and their unique voting credential code (number/identifier). Mexico currently recognizes two types of voter cards. One contains OCR numbers; the other contains a different type of formatted identifier. This database, labeled ‘padron2015,’ appears to contain OCR numbers.”

This is a huge breach, and you might think someone would act quickly to lock it down, but Vickery said that’s not the way it went it down at all.

He reported the voter database “configured purely for public access” to the U.S. State Department and the Office of Mexican Affairs. That didn’t produce any results, so Vickery contacted the U.S. Secret Service, the Department of Homeland Security, the Mexican Embassy in Washington and US-CERT.

“It’s got an IP address that I can’t trace to anyone in particular,” he said, “and will be rather difficult to get taken down unless somebody high up can talk to Amazon.”

Yet the database remained publicly accessible, so he turned to Amazon’s abuse reporting system. Vickery called it “equally frustrating,” explaining to The Daily Dot that Amazon’s automated system repeatedly requested irrelevant information. Eventually he wrote to Amazon, saying:

This is not an acceptable response. My abuse report clearly explained that the database is a server using MongoDB software. I gave the IP address and port number. That is the only existing connection information available (and it is all you should need).

The existence of this database is, itself, a violation of federal Mexican law. The server is, at this very moment, allowing the public to copy 93.4 million voter registration records. Under Mexican law, these records are ‘strictly confidential’.

People’s lives are at stake here. Kidnapping is a considerable problem in Mexico. Right now one of your servers is handing out the home addresses of 93.4 million Mexicans. Is Amazon seriously not willing to do anything about this?

Amazon’s policy is that security is up to customers: “While AWS manages security of the cloud, security in the cloud is the responsibility of the customer. Customers retain control of what security they choose to implement to protect their own content, platform, applications, systems and networks, no differently than they would in an on-site datacenter.”

In this case, the unknown customer chose not to use any security at all.

The database stayed publicly accessible until Vickery spoke at Harvard about his research and mentioned the leak. A Mexican student was in attendance and verified his information. The student realized, “Kidnapping is a considerable problem in Mexico, and allowing cartels to download copies of this database could prove disastrous.” The undergraduate engineering student, according to Scientific American, said, “Oh, my God, I can’t believe it. It’s literally my address. It’s literally everything. You don’t understand how many people are vulnerable because of this.”

Vickery was given the details to contact the Instituto Nacional Electoral, or INE, which had no obvious or easy-to-find email address to report breaches.

The database containing personal information on all Mexican voters as of February 2015, which Vickery discovered on April 14, was finally secured on April 22; Vickery is unsure if Amazon or INE was responsible for finally taking action.

Lorenzo Cordova Vianello, INE president, admitted Mexico has a “crime issue” and the exposed database represents a real security threat. Vianello told Scientific American a criminal complaint was filed with a Mexican prosecutor’s office for electoral crimes and the “national cyber police” were notified.

Scientific American added, “As the list is supposed to contain all voters’ names, addresses, parents’ names and voter registration numbers, it would likely include those of potential kidnapping targets such as Mexico’s most famous celebrities, sports stars and politicians, along with millions of ordinary voters.”

The Mexican National Electoral Institute is required under Mexican law to share a copy of the national voter list with nine political parties to prevent fraud. While authorities have not yet publicly named names, Vianello added that each copy of the voter list was watermarked. Officials believe that marking “may help identify the source of the breach.” There were over 93 million Mexican voter records exposed, but Cordova said it “included some duplication, as the latest voter rolls list about 87 million Mexicans.”

Back in 2003, the U.S. government commissioned ChoicePoint “to obtain more than 65 million records on registered Mexican voters and 6 million drivers in Mexico City.” Motherboard pointed out that Mexican voters’ data from 2010 was leaked in 2013. This time, all of it could have been avoided had the database been protected with a password. But even that doesn’t explain who chose to ignore that the files are considered “strictly confidential” by Mexican law, that extracting the data for personal gain carries a penalty of up to 12 years in prison, and put the records on a U.S.-based Amazon cloud server.

Hopefully it will not become the new normal for countries—not just corporations—to fail to protect their citizens’ sensitive data. Vickery found a misconfigured database with millions of U.S. voter records in December. The massive OPM hack resulted in putting 21 million people at risk and included 5.6 million fingerprint records. The Philippines election hack in March contained “228,605 email addresses; 1.3 million passport numbers and expiry dates of overseas Filipino voters; and 15.8 million fingerprint records.” The personal information of 50 million Turkish citizens was posted online after the breach of Turkey’s government servers. If that is the new normal, then that is unacceptable.