Info on 93 million Mexican voters found on an Amazon cloud server

Sensitive personal information of over 93 million Mexican voters has been found, unprotected and accessible to anyone who knew where to look.

Last Friday, researcher Chris Vickery shared details of of this discovery to the wider public, and the facts are as follows:

  • The data was stored in a publicly accessible MongoDB database, that required no password or authentication to be accessed
  • The database was hosted on an Amazon cloud server, outside of Mexico (in the US)
  • The data includes voters’ name, address, date of birth, mother’s and father’s last names, occupation, and unique voting credential code
  • At least one record in the database was confirmed to be correct, by a Mexican student who heard Vickery mentioning the leak.

“His reaction was very serious. He immediately understood the potential harm that could be done if this database were to end up in the wrong hands,” Vickery noted. “Kidnapping is a considerable problem in Mexico, and allowing cartels to download copies of this database could prove disastrous.”

The student and a Harvard faculty member finally helped him get through the Mexican authorities, especially Mexico’s Instituto Nacional Electoral (INE).

Prior to this, he notified the US State Department of the discovery, and intended for them to alert the Mexican authorities about the breach. When they failed to do so, he notified several US agencies and organizations about it, then the Mexican embassy in the US.

After repeated requests by Vickery and likely more requests by the Mexican authorities, Amazon finally took down the database on Friday. The Mexican authorities launched a probe into the leak, and the Instituto Nacional Electoral filed a criminal complaint against the still unknown perpetrator who put the database on a server outside the country.

It is believed that the database contained information from the February 2015 electoral roll and, according to the Daily Dot, the INE confirmed that the database originated with a person who had legal access to the records – someone affiliated with one of the country’s nine political parties. According to Vickery, it’s likely that they even know which one, as each list contained bogus names that, when found, would reveal whose list it originally was.

The INE is now trying to get Amazon to cooperate in order to learn if anyone else other than Vickery accessed the database while it was online.

This is not the first time that information about Mexican voters has found its way into the hands of unauthorized parties (and outside of Mexico).

“Following the September 11th terrorist attacks, the United States, for whatever reason, acquired a similar database through a data brokerage firm known as ChoicePoint. From what I’ve read, ChoicePoint managed to get ahold of the Mexican voter database in exchange for $250,000 back in the early 2000s,” Vickery noted. That data was apparently bought from a Mexican company.

“This incident clearly erodes the confidence of citizens in a lot of government bodies. Some citizens might decide to never provide their data again to the INE, the next time their ID expires,” Héctor Guzmán, Partner at BGBG Abogados (Data Protection & Privacy practice), told Databreaches.net.

Even though the database didn’t contain financial and bank information, the data it did contain could still be used for criminal purposes since the location of citizens is available, he noted.