Apr 222016
 

In today’s installment of “Epic Infosecurity #FAIL,” more than 93.4 million Mexican citizens have had their voter registration details exposed online due to a misconfigured database. Why a database with Mexican voters’ information was hosted on a server outside of Mexico, who uploaded it to Amazon, and why it wasn’t properly secured are questions in search of answers.

Last week, MacKeeper Security Researcher Chris Vickery contacted DataBreaches.net to report that he had discovered yet another misconfigured MongoDB database. This one, 132 GB in size, appeared to contain voter registration data from 93,424,710 Mexican citizens.

Vickery, who has blogged about this incident on the MacKeeper blog, provided this site with a redacted screen cap of an individual’s record:

Courtesy of Chris Vickery

Courtesy of Chris Vickery

The record contains the individual’s name, complete address, date of birth, mother’s and father’s last names,  occupation, and their unique voting credential code (number/identifier).  Mexico currently recognizes two types of voter cards. One contains OCR numbers; the other contains a different type of formatted identifier. This database, labeled “padron2015,” appears to contain OCR numbers.  No pictures or financial information was included in the database.

Although there was no information included in the leaky database that could point us to its owner or who had uploaded it to Amazon cloud services,  the data appeared to be voter registration data compiled by the Instituto Nacional Electoral (INE).

After some discussion as to whom to notify and how, Chris decided to report his discovery to the State Department and let them contact their Mexican counterparts in the spirit of cooperation. When he got no meaningful response, he reached out to the State Department’s Office of Mexican Affairs, who told him they would forward his alert up the chain. When that still didn’t achieve the desired results of getting the database secured, Chris contacted the U.S. Secret Service, Department of Homeland Security, and  US-CERT. He also contacted the Mexican embassy directly:

After I explained the situation over the phone, they wanted proof of the breach and gave me an email address to send it to. I sent them an explanation with the IP address and two screenshots as evidence. The embassy has never even responded to that email.

(First lesson to be learned by INE: provide an easy-to-find email address on your web site for people to report security breaches.)

As fate would have it, though, Chris was speaking up at Harvard about his research and mentioned the leak. A student from Mexico verified the accuracy of his father’s record, and a faculty member tried to assist Chris with the notification problem by giving him other individuals to contact. Chris eventually heard back from someone from the Instituto Federal Electoral, (IFE/INE), who thanked Chris and who said they would get right on getting it secured. Of note, the coordinator said that the IP address was not theirs and he was investigating to see who was responsible for the database being on that IP address. In a subsequent communication to DataBreaches.net, the coordinator reported that the numbers in the database did not match national historic numbers, and that had become part of their investigation, too.

The database has now been secured.

Publication of this post was delayed until now at the request of the Mexican government to give them time to investigate and to secure the database.

The Risk to Mexican Citizens

This is not the first time voter registration information of Mexican citizens has been leaked or otherwise compromised. In what became an international incident in 2003, Latin American countries learned that ChoicePoint was buying – and selling – information on citizens of their countries.  And in discussing this incident with Héctor Guzmán, Partner at BGBG Abogados (Data Protection & Privacy practice), DataBreaches.net learned that Mexico has had other leaks involving voter information. Guzmán pointed DataBreaches.net to a previous breach in 2010 that also contained extensive data, all of which were up for sale.  And in May, 2012, there was another investigation by the Mexican government concerning an entire electoral roll that had been found for sale. A November, 2013 article on Global Voices also noted data up for sale on buscardatos.com.

DataBreaches.net has no indication that the current leak is associated with any attempt to sell the data, but given that 2015 data has now been found exposed in 2016, the Mexican government may wish to review their protections, because as  Guzmán explains, the risk is huge:

Mexico is (still) dealing with security issues in many parts of its territory. So even when this “padron” is not a completely reliable source of the place where citizens actually live, most of the time the address contained in the padron coincides with their real address. Then, if you have access to this database, you will know exactly where they live.

That and the fact that this information may provide information to companies that otherwise might have need to spend a lot of time and money to get this kind of data.

“This incident clearly erodes the confidence of citizens in a lot of  government bodies. Some citizens might decide to never provide their data again to the INE, the next time their ID expires,” Guzmán adds, noting that although it’s a relief that financial and bank information were not leaked, “the information could still be used for criminal purposes since the location  of citizens are available.”

Mexico’s data protection laws do not require the government to notify individuals of this incident.

Entire Countries Breached

With this leak, Mexico now joins a list of countries where almost the entire population has had their personal information leaked or breached, as 93.4 million represents over 72% of Mexico’s estimated population.  BelizeGreece, Israel, Philippines, and Turkey have also experienced leaks of the majority of their population’s personal information. And of course, let’s not forget that Chris Vickery had also discovered 191 million U.S. voters‘ data leaking due to a similarly misconfigured database.

Update 1: Dell Cameron has some great coverage over on Daily Dot as to the frustration Chris Vickery experienced with Amazon when he tried to get them to take the database down.  Una versión en Español de este articulo esta disponible aquí.

Update 2: It looks like INE responded publicly and has filed a complaint (?) against whoever is responsible, but it’s not clear to me (translation issues) if they know who is responsible. See tweets today by @INEMexico.  I am still trying to get a statement and some answers from INE.

Update 3: It seems that the INE has identified the source of the leaking database but isn’t announcing it yet. And from the article, it sounds like copies provided to political parties – who are entitled to get the copies – are somehow electronically watermarked, which enabled the INE to trace the database back to its owner.

Curiously, they are saying the February 2015 database had 81 million voters, although the database Chris Vickery found shows over 93 million records. Perhaps there are some duplicates in there?

Update 4: I received a response from INE, which I’ve posted in a new post. Yes, there were duplicates in the database.

Update 5: See also Mexico launches criminal probe into exposure of voter information.

Update 6: Chris Vickery informs me that the Mexican embassy in Washington D.C. called him over the weekend to apologize for not responding to his first email alert. It seems it went to their spam folder and was deleted.  How do you say, “Oi veh” in Spanish?

Update 7 (Apr. 27): A reader kindly informed me that Movimiento Ciudadano, one of the political parties that had legitimate access to Mexico’s voter data list, has admitted it was their copy of the voter’s list. See my post my about their outrageous attempt to blame the researcher, here.

Update 8 (Apr. 28)  See my latest follow-up story here about the political party misleading the Mexican people and how Amazon did not tell them they were “hacked.”

  54 Responses to “Personal info of 93.4 million Mexicans exposed on Amazon (UPDATED)”

  1. It’s not the entire mexican population, because people under 18 cannot get an INE ID, but you can be sure, that those 93.4m are ALL mexicans over 18 years old. And i’m one of those… SHIT!

  2. Where I can see this information?

    Im a mexican citizien and this is realy bad!

  3. Correct, this is only aged 18 and over.

  4. The database has been secured and should not be currently available online unless someone else downloaded it and shared it. Chris Vickery does not make his findings publicly available as the goal is to protect the data, not share it. 🙂

  5. “due to a misconfigured database”

  6. Yeah, that’s code for “they left the damned port open” despite all the articles written about this risk.

  7. Intresting enough on a press release, The National Institute for Elections (INE in spanish) said that there was no danger to the citizens because the DB had only the names of the registered voters, seeing this information on this and other pages means that they are flat out lying.

    Sadly this is not the first time personal information from mexicans are leaked to everyone, for example there was some years ago a mobile phone registry that obligated the telephony companies to register the client’s name and it’s mobile number, this with the excuse of making easier to tackle telephone extortion and kidnappings. The solutiuon got stopped by the supreme court by means of privacy and some months later, the list appeard on a black market in mexico city available for anybody.

    sorry for potato english

  8. Your potato English is better than any Spanish I could attempt. And you’re right, this is much more than just names of registered voters as the redacted screen shot I posted demonstrates.

  9. Thanks

  10. I would like to hire a security breach Law firm, to sue the INE, the issue was reported and they did nothing. I don’t want my data to be out there. That institution costs billions of dollars each year, enough to protect and host securely my information. Plus hosting it on US Private Servers.

  11. The INE didn’t host it on a U.S. server. I’m still trying to get a straight answer from them as to who hosted it/uploaded it to Amazon. Could it have been a political party that would have access to the list? Could it be a rogue employee who made a copy of the list and uploaded it to Amazon? Could it be someone hacked a political party and uploaded it to Amazon? I don’t know (yet), but will keep asking until we get answers. And one answer the Mexican people need is whether there is any evidence that the database was downloaded by anyone other than Chris Vickery.

  12. Rough translation from the “infographic”:

    A copy of the Nominal List of Electors was identified in Amazon US.

    The INE forwarded a complaint towards the Specialized Prosecutors for Electoral Crimes (FEPADE) and a process against internal instances has been started.

    As soon as the issue was known, the Executive Direction of the Federal Electors’ Registry took the following actions:
    1. Verified that the data, in fact, was the same as the Nominal Electors’ List up to February 15, 2015 that was delivered for its verification, as the article 151 paragraph 1 of the General Institutions and Electoral Procedures Law states.

    2. Immediately steps were taken to take down the copy of the Nominal Electors’ List from the file host Amazon, which happened in the early morning of this Friday, April 22.

    3. The information was compared against other copies to see which copy was leaked. The findings were made known to the Specialized Prosecutors for Electoral Crimes (FEPADE), to the Cybernetic Police and to the Technical Unit of Electoral Disputes of the INE.

    4. Since Wednesday 20 a criminal complaint was presented to the FEPADE and to date an ordinary sanctioning procedure has been started as well that will be run by the Technical Unit of Electoral Disputes of the INE so that they may impose the appropriate sanctions.

    The data of the copy of the Nominal Electors’ List is no longer accessible through the internet and the criminal and administrative investigations are ongoing.

    There is no evidence that in any moment the systems of the Electoral Roll and Nominal List were attacked, nor there is any evidence of external interference to the computer base of the INE.

  13. Bless you for translating that!

    Paragraphs 3 and 4 suggest that they can figure out who was responsible for the leaked copy. Maybe they have identifiers/codes in what they give out that are specific to each recipient. That would sure help now if they do that.

  14. It is known that political parties have had this information for a long time. In fact the more popular political parties build their strategies based on this information. A few years ago(2012) i was showed an app based on google maps that displayed the data mentioned in this article, the app ran in a Laptop.

  15. This is a mayor problem por Mexican government. but you know what? Mexican citizens will remain doing nothing about it…

  16. This is shameful, if it will happen in another kind of service like email, messaging even bank accounts i change my passwords, but with this kind por of leak I can’t change my residence. What an incompetent burhocrazy and whe have the Mexicanos

  17. I will be eager to see what the result of the criminal complaint will be. Lame sanctions or something with real consequences?

    And all of you upset Mexicans: there’s legislation coming up in your plenary that involves data breach notification. Start speaking up to push for it. And make sure it includes govt agencies.

  18. It doesn’t contain mother’s and father’s name, ‘apellido materno’ and ‘paterno’ means Paternal Last Name and Maternal Last Name, since we use both as last name.

  19. Jesus ducking Christ. We are fucked. This doesn’t seems to be your normal leak, but the complete registers of the population. Of all the adult population. This is really bad, as this is a lot of information that in the wrong hands could be used for harming the Mexican people. Let’s hope they can fix this shit, because for what I am reading it doesn’t seems to be very positive. What a good way to recover your citizens trust than losing your personal data and making it accessible to everyone.
    Sorry for the English, I hope it’s understandable for anyone reading, and that it doesn’t give you brain farts.

  20. Speaking up hasn’t worked thus far here. But Fuck it, we need to try anyway. We can’t let institutions gain access to our personal data, and then being incompetent enough to get it stolen. We don’t know how this could be used, but there are records of this kind of thing happening before, and it didn’t went well.
    In the end let’s hope they finally listen, and we will try to do our best in that matter. We can’t let it pass just like anything hasn’t happened. This is potentially harming for the citizens.

  21. I may be wrong, but from the screen cap it seems this data is based on INE’s voter registration with additional details coming from somewhere else. Years ago when I applied for my ID they didn’t ask for my “OCUPACION” (job), also the “EN LISTA NOMINAL” category seems strange, why would the INE keep details from citizens who didn’t renew their ID (in Mexico you have to renew your ID after a number of years/elections and update your personal details, I haven’t done so because since around 2012 they ask for biometric information), died or simply didn’t want to register?

  22. Right. But because you understood “names” in my post to mean “first names,” I’ve added “last” before it to make that clearer.

  23. Ps kearemos para salir adelante

  24. Oh, I ‘m glad to hear that. Stupids!

  25. I now need to move to secure my family. Thank you fucking government.

  26. Thank you for your heads up on this issue. I’ve been aware that the law gives the voters nfo to parties science the registry was created, so I make sure my address doesn’t match my real one just in case. and apparently, it’s been the case a few times. My info is all over the place, so at least I make sure that they have the wrong one..

    INE has very secure facilities. The leak, no doubt, comes from a political party. The previous leak was attributed to a party and the only.consequrnce is that they are fined several millions. Which is not that bad for them considering that parties in mexico are publicly financed. They received the info and they don’t have any professional data experts (or interest in privacy, to be honest) plus they share the info with thousands of smaller local branches across the nation. It’s almost impossible to keep it tight when almost a million people go through it.

    After this new breach, maybe I will not renew my registration and just use an alternate form of ID that doesn’t require an address. I wont be able to vote but at least my info will be less vulnerable. IDK… What do you recommend?

  27. I think the proposal going forward is for the lists not to have addresses at all. I’m not sure whether it will pass, but I suggest you follow @INEMexico on Twitter if you’re on Twitter and ask them.

  28. This is not the government’s breach. It’s whomever they gave the list to – and who was obligated to protect/secure it. If you don’t want the govt to have to give lists to political parties, that’s a matter for your country’s legislature – as is the issue of what information should be disclosed.

    That said, if you really have to move your family because of this, yes, that is awful. Best of luck to you.

  29. It is not strange that in elections to be soon we have a leak of information that the government or any political partie can use.
    We have to demand INE for our private policy of data.

  30. Can we demand INE?

  31. NO more EXCUSES now you know who and where these CRIMINALS live SO THROW THEM OUT of the USA before the US CITIZENS DO IT FOR US ALL!

  32. 93.4 millions padron!!! Even the childs can vote? Very interesting hoax.

  33. No hoax. There were duplicates in the records as INE confirmed.

  34. Ya anteriormente se había publicado que una empresa vendía esa información… y no paso nada… nunca nadie hace nada… solo es una nota mas… que mañana se olvida…

  35. Exactly. Here you can see more details about this. http://listanominal.ife.org.mx/ubicamodulo/PHP/index.php

    “Bajas” include duplicates, cancellations and deceased people’s records, which, for traceability purposes, I guess don’t just get deleted, but rather marked as a “baja” but still count towards the full record count. I did the math, and it checks out (82~m from the nominal list + duplicates + cancellations + deceased = 93~million).

  36. Thank you. I think the govt has told Daily Dot that the count is 87 million, so I’m not sure of the exact number. At the time of initial publication, all we had was the number of records in the database.

  37. It sucks really bad, the señor just said that “there were no evidence that the Internet Security of the database was not accessed from outside, sooo…. it was an insider job; that is worse!!! 》:-(

  38. No, not an “insider job” in terms of what that phrase usually means. INE was saying that their computer network was not hacked or compromised, and that this leak is because someone who had legitimate access to a copy of the database (like a political party) uploaded it to Amazon (which in itself, violates Mexican law), and then failed to secure it properly. This may be more of a case of negligence and human error (on the open port) by someone who received a copy of the database than an intentional “insider job.” And the problem wasn’t with INE; it was with whoever got the database.

    Hope that helps explain it.

  39. Oddly enough, they will all turn up as voters for Hillary in November.

  40. May this representate a risk for clean upcoming elections? I mean, there will be elections in.my state on the next two months and there’s history here about business involving people’s voting information, which eventually resulted on a corrupt politician winning elections.

    What are the odds? I’ve been wondering about this being not an act of negligence, no accident at all. But, in an unsurprising contrast, a very carefuly managed business whose only objective is to deliver control to those who have enough money to handle the strings.

    In elections at this level, the rate of participation barely reaches a 30%. May the leaked information be used for a corrupt politician to say there was a, for example, 40% participation, and that they had that 10% extra on their favor?
    They can have this information from the leak and, therefore, there will be no evidence that could implicate corruption at a specified party.

    I do not fear that much for my personal information as I fear for the way my government is elected.
    In Any case We have to Wonder if this was a case of negligence or a red flag stating nothing is working as it should.

  41. Do these CRIMINALS live in the USA and, if so, exactly where (state, city, etc) ?

  42. I think the “criminals” you allude to are a Mexican political party that uploaded their authorized copy of the electoral list to an Amazon server. We’ll have to wait for the results of the investigation to be made public to know for sure.

  43. I think you mean “sue” INE; and yes you can… if you want to waste your time.

  44. Hahaha! My thoughts exactly!

    This is fodder for the Democratic candidates!

  45. Shouldn’t the embassy also apologize to the Mexican citizens????

  46. Maybe it is a left over from Enrique Peña Nieto’s election theft:
    http://www.bloomberg.com/features/2016-how-to-hack-an-election/

  47. The political party Movimiento Ciudadano has just accepted that they were the ones that updated the DB to Amazon. http://www.elfinanciero.com.mx/nacional/mc-reconoce-que-subio-lista-nominal-a-nube-de-amazon.html

  48. Thank you so much!

  49. HI, as you already know, Movimiento Ciudadano is blaming a “Highly specialized hacker attack”, but very few people outside the Engineering Community in Mexico knows about your blog or this site, i was about to tweet the page to Movimiento Ciudadano but i figured it was best to ask you first. The only news outlet you have been mentioned is Aristegui Noticias ( http://aristeguinoticias.com/2704/mexico/subimos-lista-nominal-de-electores-a-amazon-y-hubo-asalto-cibernetico-movimiento-ciudadano/ ) . I get it if you dont want to get more involved than you are right now, but i think is important these political assholes pay for they mistakes, even more so because they “hired” a consultant company ( Indatcom S.A de C.V ) to set up their database. Any assistance you need please let me know.

  50. Feel free to link or tweet or point folks to my blog. And do point them to my reaction to MC’s bullshit statement:
    http://www.databreaches.net/movimiento-ciudadano-admits-responsibility-for-mexican-voter-data-leak-on-amazon/

    I will have more on this as I’m waiting to hear back with more follow-up from Chris Vickery (the researcher) and I have an inquiry into INE.

    I cannot tell if Movimiento Ciudadano had a contract with Indatcom that involved Indatcom providing security for the database, but Amazon does not take any responsibility for security – that was on the political party or whoever they hired for that purpose.

    I am livid….

Sorry, the comment form is closed at this time.