Amazon denies Movimiento Cuidadano’s claim that they were “hacked”

DataBreaches.net is not alone in being outraged that in response to a massive data leak that put the information of 87 million Mexican voters at risk, Movimiento Ciudadano appears to be falsely claiming that the voter data list they stored on Amazon cloud was “hacked.” The political party has been repeating that false claim on Twitter and in the media, and has claimed to have filed a criminal complaint against Chris Vickery for allegedly hacking them.

Instead of being grateful that Vickery noticed that they had not secured their database and then spent a lot of time trying to identify them and alert them so that they could secure it, Movimiento Ciudadano is blaming Vickery and telling the public that Amazon told them that the database had been “hacked” or the victim of a “cyberattack.”

Movimiento Ciudadano is either incredibly ignorant or liars. Amazon told them no such thing.

Chris Vickery contacted Amazon last night to ask what they had actually said to Movimiento Ciudadano or its vendor, Indatcom. He received the following statement from Amazon.

All AWS security features and networks did, and continue to, operate as designed. Once AWS was notified that an unsecured database containing sensitive information was being hosted on the AWS Cloud and was publicly accessible via the Internet, we followed our standard security protocols and have since confirmed that this database is no longer publicly accessible. Customers who have questions about security best practices can find information at our Security Resources page (http://aws.amazon.com/security/security-resources/).

In other words, when Amazon learned (thanks to Vickery’s efforts) that the database was open to the public without security, they contacted the database owner to alert them to  take it down so they could secure it properly. Amazon made no allegations of hacking or cyberattack – it simply informed the political party (through Indatcom?) that the database was publicly viewable and accessible when it shouldn’t be and they should take it down.

The Mexican branch of Amazon went even further in their statement to Mexican media:

Amazon México respondió que la información subida por Movimiento Ciudadano fue “almacenada de una manera no segura en la nube de Amazon Web Services”. Carecía de contraseña y estaba visible en internet, dijo su gerente de Relaciones Públicas, Julio Gil.

Dante se deslinda de hackeo; dice que Indatcom contrató a Amazon

Note that Amazon’s Julio Gil is correctly stating that the data was stored in an unsafe manner and that there was no password required, and it was visible on the internet.

And while Indatcom may have made arrangements to host the database on Amazon cloud,  Amazon had no responsibility to secure the MongoDB database. Amazon had no role in the configuration of the database and the decision or error that left port 27017 open. That was solely on the political party or whoever they hired to secure the database.

Motivation to Blame or Lie?

DataBreaches.net understands that in 2013, Movimiento Ciudadano was fined over another data leak involving voter information that was found up for sale. It would be understandable that they do not want to be responsible for this newest incident, but they are responsible for this incident, and the Mexican public needs to understand that.

Movimiento Ciudadano has yet to disclose the access logs for the database. If and when they do, the Mexican people will learn that there was more than one IP address that accessed the voter list. Elsewhere, Dante has claimed that Chris Vickery was the only person to access the database. DataBreaches.net is aware that at least six IP addresses accessed the database. How can Movimiento Ciudadano claim Vickery was the only one to access it if there were at least six IP addresses that accessed it? Is he claiming Vickery was all six IP addresses? And how many other IP addresses accessed it? Movimiento Ciudadano needs to be more transparent about what its logs show.

Movimiento Ciudadano should stop misleading or lying to the Mexican people. 

As one commenter on this site wrote in response to some of my earlier reporting on the data leak:

Disgraceful excuse of a political party. Here’s their attempt at covering themselves up translated. Oh, and on behalf of the Mexican people I’d like to apologize to Chris Vickery that has been now apparently made the target of politicians trying to justify themselves

Disgraceful, indeed. The Mexican people owe a debt of thanks to Chris Vickery.

I don’t know if Chris can sue Movimiento Ciudadano for defamation, but he might want to look into that. At the very least, the party should issue a public retraction and apology for their false claims about him. And the Mexican people need to know that they are being lied to by the political party who is responsible for the data leak.

Update: The Mexico Daily News has picked up the story.

Update 2: SonTusDatos has written about the questions that need to be answered (ES).

About the author: Dissent