What Mexican political party Movimiento Ciudadanos is saying in the wake of a massive data leak is just so inconsistent with available evidence that DataBreaches.net will continue to try explain to the public what the available evidence actually shows.
As part of efforts to properly inform the Mexican public about a massive leak involving their information, this site posted statements from Amazon that confirm MacKeeper security researcher Chris Vickery’s claims that the database was exposed. There has been no evidence provided to indicate there was any hack that resulted in the exposure, as Movimiento Ciudadanos now tries to claim. All available evidence indicates that the exposure was due to the database not being configured (secured) properly by the party or its contractor, Indatcom. It is not clear from available information whether it was actually Indatcom’s responsibility to properly configure the database and to monitor its security. It definitely wasn’t Amazon’s responsibility to configure the database.
DataBreaches.net has provided a password-protected file for journalists who would like to see proof that the database was exposed and easily accessed without any password required. Journalists can email DataBreaches.net or DM this blogger on Twitter (@pogowasright) to request the password to access that file.
Today, DataBreaches.net will focus on Movimientos Ciudadanos’s recent tweets that are contradicted by available evidence.
In numerous tweets, the party continues to claim that its copy of the voter list was “hacked” while it was on Amazon cloud services. It claims that Amazon supports that claim. It now claims that they are not accusing Chris Vickery of hacking them (that’s an improvement), but that their criminal complaint is against whoever did hack them.
Realizing that some translations may be a bit tricky, I’m going to respond to just a few of their many tweets here.
Reiteramos que Movimiento Ciudadano no dio mal uso a la información del padrón, ni puso en riesgo la información de los mexicanos.
— Movimiento Ciudadano (@MovCiudadanoMX) April 29, 2016
My translation: We insist that the cyberattack we suffered allowed a security expert to find our data.
We reiterate that citizen movement did not misuse the information in the register, or put at risk the information of Mexicans.
What cyberattack? Where’s the evidence showing any intrusion or cyberattack? Movimientos Ciudadanos has provided no evidence to support that claim. The database’s access logs – if there even are any – should show what really happened. So far, all we’ve seen is proof (from Vickery, in the password-protected file) that the database was exposed/leaking because port 27017 was open. Leaving that port open was either a mistake or a poor decision. It almost certainly wasn’t the result of any hack, and if Movimientos Ciudadanos thinks it was, they should provide logs that prove that. DataBreaches.net thinks that there will be no such evidence found.
As to not putting people at risk: Movimiento Ciudadano put the information of Mexicans at great risk of theft by failing to secure the database properly on port 27017. If Chris Vickery hadn’t notified authorities to alert them to what he had found freely available for the taking, how many others might have found the unsecured database and downloaded all that information on more than million citizens?
De lo único que pueden responsabilizar a Movimiento Ciudadano es de haber sido hackeados. — Movimiento Ciudadano (@MovCiudadanoMX) April 29, 2016
My translation: The only thing Movimiento Ciudadanos should be held accountable for is being hacked.
The party should be held accountable for its decision to upload the database outside of the country, its failure to hire a real security firm to secure the database properly, and for not monitoring the database access logs to detect whether the database was being accessed by others. It should also be held accountable for putting the personal information of more than 80 million Mexicans at unnecessary risk of identity theft or harm by failing to encrypt the data.
Vickery y el supuesto comunicado de Amazon Web Services confirman que nuestras medidas de seguridad fueron vulneradas: No hay contradicción.
— Movimiento Ciudadano (@MovCiudadanoMX) April 29, 2016
My translation: Vickery and the supposed communication from Amazon Web Services confirm that our security measures were violated: there is no contradiction.
That is NOT what Vickery nor Amazon said. Maybe Movimientos Ciudadanos should try a different translator? Vickery said that there was NO security measures (medidas de seguirdad) preventing access to the database via port 27017. And Amazon confirmed that there was no security preventing that, which is how the data got out.
Nothing Amazon said suggests that Movimientos Ciudadanos was hacked. We only have the party’s claim that that’s what they were told by Amazon. Where’s the evidence of that when Amazon has not said that publicly?
There’s much more from Movimiento Ciudadanos on Twitter, and it all appears either seriously inaccurate or just flat out false. Hopefully, the INE will release its own investigative report that will reveal just how much security the database had – or didn’t have.
Giving the political party the benefit of any doubt about possibly lying to the public, maybe they truly don’t understand what happened. But even if that is the case – that they have been misinformed or misled, or they just don’t understand what they’re being told – Movimientos Ciudadanos needs to understand that this incident was totally avoidable and occurred because they did not secure the database properly or ensure that a contractor did.
And until they do demonstrate that they understand that and accept full responsibility, they should not be allowed to upload a copy of any voter list to any server, anywhere, ever.
And yes, DataBreaches.net thinks this incident should result in sanctions of Movimiento Ciudadanos and a very serious monetary penalty.