Movimiento Ciudadano admits it was their copy of the Mexican voter list on AWS, tries to deflect blame to researcher

A reader kindly informed me that Movimiento Ciudadano, one of the political parties that had legitimate access to Mexico’s voter data list, has admitted it was responsible for the leak on Amazon. Except that as I read more, I realized they weren’t really admitting they were responsible for the leak.

I’ve been trying to read/translate a number of news stories on today’s developments, including the political party’s statement (ES).

From what I’m reading in their statement and from a number of sources, it seems like the Citizens Movement party is filing a criminal complaint against Chris Vickery, claiming he broke Amazon’s great security, or some such nonsense. They write, in part:

Para hacer pública la información que estaba salvaguardada en los servidores de Amazon Web Services fue necesario violar las medidas de seguridad a través de métodos altamente especializados, característicos de hackers profesionales.

To be clear: Chris Vickery never hacked into the database. Citizens Movement left port 27017 open, and so anyone and everyone could access it and download the voter data with no login required. Amazon was not responsible for securing that database and Vickery didn’t break any security: there was no security, and that was Citizens Movement’s responsibility.

Trying to make it out that Vickery engaged in criminal conduct  is a lame attempt on their part to deflect blame for their infosecurity failure. It is especially lame in light of how appreciative Mexico INE has been of Vickery’s discovery and notification.

In response to an inquiry from DataBreaches.net, Chris Vickery issued the following statement:

I strongly deny any accusations of hacking. This database had no password or
any other protection enabled. It was being published openly to the world.
There simply was nothing to hack even if I had wanted to do so. I have
screenshot evidence proving this.

If the database was protected in any way, it would not have appeared in the
Shodan search engine. The attached screenshot is directly from the Shodan
results page.

shodan_screenshot
Screenshot courtesy of Chris Vickery

Vickery added:

I have reached out to Amazon and am awaiting a reply regarding whether or not
Amazon informed the “Citizens Movement” that there was a hacking incident.

About the author: Dissent