Mexico launches criminal probe into exposure of voter information (updated)
Dell Cameron reports:
Mexican authorities have begun criminal proceedings into a data theft incident said to affect more than 87 million registered voters.
Mexico’s National Electoral Institute (INE) filed a criminal complaint on Friday with the country’s election crimes office concerning millions of voter records discovered on a U.S.-based Amazon cloud server. The theft of the records, which includes names, addresses, phone numbers, dates of birth, and voting credentials of Mexican citizens, constitutes a “national offense,” according to INE Director Lorenzo Cordova Vianello.
Read more on Daily Dot. The number of unique voters in the database has now been variously reported as 81 million voters and 87 million. Either way, it’s a huge number. All sources now confirm that the list was the official list of February, 2015.
Although Daily Dot reports the criminal complaint was filed Friday, according to the official INE press release issued Friday and my source in the INE, the criminal complaint was actually filed on Wednesday. As far as I know, it doesn’t allege “data theft,” and Dell informs me he didn’t mean that term literally. In fact, reading Dell’s article made me realize that we have almost no understanding or information as to what the actual charges are in the criminal complaint.
Under Mexican law, the list in question is only supposed to be used for verification purposes, but where, in Mexican law, does it actually make it a crime to upload that list to a server? Or is the crime that it was uploaded to a non-Mexican server? Or is the crime that it wasn’t adequately secured? Or all of the above or something else? What’s the crime here?
DataBreaches.net emailed the INE last night to ask for information as to what the criminal complaint actually charges.
But apart from the criminal complaint, I keep harping on the fact that because Amazon has yet to cooperate with the INE, the INE – and the Mexican public – still don’t know how many individuals other than Vickery may have downloaded the database before it was secured . Hopefully, he was the only one. But given that some people are now worried for their safety, the sooner Amazon cooperates with INE and provides access to logs, the better.
The US Department of Justice assisted the Filipino government by contacting CloudFlare and GoDaddy to get evidence preserved and a web site with a database with Filipino voter data taken down. I hope our government is also assisting Mexico in getting Amazon to provide information to INE as to whether this database was accessed and downloaded so that people who may be at risk of kidnapping or murder find out how bad this situation really was.
And at some point, we really need to discuss Amazon’s slowness to respond to what could be safety issues for individuals, but more on that at another time.
Update: Alejandro Andrade of INE responded to my inquiry as to what the criminal charges are, by writing:
It is for misuse for not keeping the confidentiality of the data and any other criminal use that could apply.
In response to a specific question about whether data theft was part of the charges, he replied,
As you mentioned, we don’t know what was the purpose or who uploaded the
information, although we gave it to a representative of a political party there could be many persons involved.
So until they complete their investigation as to who, exactly, uploaded that file, and why, they cannot determine other charges that might apply, but there is a criminal charge of misuse for not protecting the confidentiality of the data, it seems.