On April 14, MacKeeper security researcher Chris Vickery discovered another misconfigured MongoDB, but this time the database contained the full names, addresses, birth dates and voter registration numbers for every Mexican voter.The database containing personal information on 93.4 million Mexican voters was hosted on an Amazon cloud server with \u201cno password or any authentication of any sort\u201d to protect it. And it has been publicly accessible since September 2015, according to Salted Hash\u2019s Steve Ragan, although it is unknown how many people besides Vickery accessed the records.It took eight days of reporting the massive breach to a plethora of agencies before Vickery could get anyone to listen and take it down. The 132 GB database contained voter registration data on 93,424,710 Mexican citizens; Vickery posted a redacted screenshot of the information it contained on each citizen.As was explained on the Office of Inadequate Security, the database included \u201cname, data of birth, mother\u2019s and father\u2019s last names, occupation, and their unique voting credential code (number\/identifier). Mexico currently recognizes two types of voter cards. One contains OCR numbers; the other contains a different type of formatted identifier. This database, labeled \u2018padron2015,\u2019 appears to contain OCR numbers.\u201dThis is a huge breach, and you might think someone would act quickly to lock it down, but Vickery said that\u2019s not the way it went it down at all.He reported the voter database \u201cconfigured purely for public access\u201d to the U.S. State Department and the Office of Mexican Affairs. That didn\u2019t produce any results, so Vickery contacted the U.S. Secret Service, the Department of Homeland Security, the Mexican Embassy in Washington and US-CERT.\u201cIt's got an IP address that I can't trace to anyone in particular,\u201d he said, \u201cand will be rather difficult to get taken down unless somebody high up can talk to Amazon.\u201d Yet the database remained publicly accessible, so he turned to Amazon\u2019s abuse reporting system. Vickery called it \u201cequally frustrating,\u201d explaining to The Daily Dot that Amazon\u2019s automated system repeatedly requested irrelevant information. Eventually he wrote to Amazon, saying:This is not an acceptable response. My abuse report clearly explained that the database is a server using MongoDB software. I gave the IP address and port number. That is the only existing connection information available (and it is all you should need).The existence of this database is, itself, a violation of federal Mexican law. The server is, at this very moment, allowing the public to copy 93.4 million voter registration records. Under Mexican law, these records are \u2018strictly confidential\u2019.People's lives are at stake here. Kidnapping is a considerable problem in Mexico. Right now one of your servers is handing out the home addresses of 93.4 million Mexicans. Is Amazon seriously not willing to do anything about this?Amazon\u2019s policy is that security is up to customers: \u201cWhile AWS manages security of the cloud, security in the cloud is the responsibility of the customer. Customers retain control of what security they choose to implement to protect their own content, platform, applications, systems and networks, no differently than they would in an on-site datacenter.\u201dIn this case, the unknown customer chose not to use any security at all.The database stayed publicly accessible until Vickery spoke at Harvard about his research and mentioned the leak. A Mexican student was in attendance and verified his information. The student realized, \u201cKidnapping is a considerable problem in Mexico, and allowing cartels to download copies of this database could prove disastrous.\u201d The undergraduate engineering student, according to Scientific American, said, \u201cOh, my God, I can't believe it. It's literally my address. It's literally everything. You don't understand how many people are vulnerable because of this.\u201dVickery was given the details to contact the Instituto Nacional Electoral, or INE, which had no obvious or easy-to-find email address to report breaches.The database containing personal information on all Mexican voters as of February 2015, which Vickery discovered on April 14, was finally secured on April 22; Vickery is unsure if Amazon or INE was responsible for finally taking action.Lorenzo Cordova Vianello, INE president, admitted Mexico has a \u201ccrime issue\u201d and the exposed database represents a real security threat. Vianello told Scientific American a criminal complaint was filed with a Mexican prosecutor\u2019s office for electoral crimes and the \u201cnational cyber police\u201d were notified.Scientific American added, \u201cAs the list is supposed to contain all voters\u2019 names, addresses, parents\u2019 names and voter registration numbers, it would likely include those of potential kidnapping targets such as Mexico\u2019s most famous celebrities, sports stars and politicians, along with millions of ordinary voters.\u201dThe Mexican National Electoral Institute is required under Mexican law to share a copy of the national voter list with nine political parties to prevent fraud. While authorities have not yet publicly named names, Vianello added that each copy of the voter list was watermarked. Officials believe that marking \u201cmay help identify the source of the breach.\u201d There were over 93 million Mexican voter records exposed, but Cordova said it \u201cincluded some duplication, as the latest voter rolls list about 87 million Mexicans.\u201dBack in 2003, the U.S. government commissioned ChoicePoint \u201cto obtain more than 65 million records on registered Mexican voters and 6 million drivers in Mexico City.\u201d Motherboard pointed out that Mexican voters\u2019 data from 2010 was leaked in 2013. This time, all of it could have been avoided had the database been protected with a password. But even that doesn\u2019t explain who chose to ignore that the files are considered \u201cstrictly confidential\u201d by Mexican law, that extracting the data for personal gain carries a penalty of up to 12 years in prison, and put the records on a U.S.-based Amazon cloud server.Hopefully it will not become the new normal for countries\u2014not just corporations\u2014to fail to protect their citizens\u2019 sensitive data. Vickery found a misconfigured database with millions of U.S. voter records in December. The massive OPM hack resulted in putting 21 million people at risk and included 5.6 million fingerprint records. The Philippines election hack in March contained \u201c228,605 email addresses; 1.3 million passport numbers and expiry dates of overseas Filipino voters; and 15.8 million fingerprint records.\u201d The personal information of 50 million Turkish citizens was posted online after the breach of Turkey\u2019s government servers. If that is the new normal, then that is unacceptable.