A database reportedly containing roughly 93.4 million Mexican voter registration records was discovered on an Amazon cloud server without any password protection and includes everything from home addresses to ID numbers, a security researcher has disclosed.
MacKeeper researcher Chris Vickery, who is well known in security circles for unearthing database flaws by using the Shodan search engine, found the massive trove of records on 14 April and quickly contacted the authorities – including the US State Department, the Department of Homeland Security and the Mexican Embassy in Washington. According to the researcher, the database was finally taken offline on 22 April.
In a blog post, Vickery said: "In my hands is something dangerous. It is proof that someone moved confidential government data out of Mexico and into the United States. It is a hard drive with 93.4 million downloaded voter registration records — The Mexican voter database. Under Mexican law, these files are 'strictly confidential', carrying a penalty of up to 12 years in prison for anyone extracting this data from the government for personal gain. We're talking about names, home addresses, birthdates, a couple of national identification numbers, and a few other bits of info."
As Vickery noted, this is a serious breach of data. It is considerably more than previous major breaches at the US Office of Personnel Management (OPM) and the most recent election voter database hack in the Philippines. The researcher said he had confirmed the validity of some of the records.
"I can only imagine what fury will ensue now that anyone in the entire world could have potentially downloaded it," Vickery stated. "I mean, I'm just some guy in Texas... and I have it."
"This is a significant breach, and what makes it worse is that the data was being held outside of Mexico," Alex Cruz Farmer, vice president of cloud at security firm Nsfocus told IBTimes UK. "Mexico has quite strict data governance rules whereby data must be kept within Mexico and, if it is exported for any reason, the data owner must have the authority of the data subject before the data can be exported."
He added: "In this instance, it's clear that the data has landed on an Amazon Web Services (AWS) server somewhere in the world. As Vickery has quite rightly raised, the concern over what the data could be used for is extremely distressing. In the last month alone, there has been more than 200-plus million personal records leaked, security must become a priority."
Troy Gill, manager of security research at AppRiver, said: "People's privacy and security should never be taken lightly or diminished without consequence. It is not clear at this time how or why the documents got placed on the unsecured server but hopefully there is a successful investigation that not only identifies those responsible but also affects the policy and procedure of the source so that this may not happen again."
In an email to DataBreaches.net, the Instituto Nacional Electoral (INE) said the culprit of the breach must have had 'legal access' to the information. When asked who was responsible for the contents of the database and if any other political party is suspected of leaking it, a spokesperson said: "We don´t have at the moment information to identify the persons involved. Although, we know is a copy of the database so it was given to someone who had legal access like the political parties. We haven´t been able to get access to the database logs or any other information from Amazon."