Mexican election officials probing the leak of a database containing over 90 million voter registration records have indicated one of the main political parties in the country may have played a part in its release. While authorities claim to have identified the source of the leak, they have so far refused to name the suspected culprit.
Lorenzo Cordova Vianello, president of the Instituto Nacional Electoral (INE), a body which oversees the elections in Mexico, said that under Mexican law his organisation is forced to share copies of the national voter list with political parties which has raised suspicions one of them leaked the data. "The fact that this database [was] published to the public, it is not just a criminal offence, it is a national offence," he told Scientific American.
As previously reported, MacKeeper security researcher Chris Vickery uncovered an unprotected database online on 14 April that contained 93.4 million records including names, home addresses and personal ID numbers of Mexican citizens registered to vote.
After contacting authorities including the US State Department, the Mexican embassy and the INE, the trove of information was finally taken offline on 22 April.
Officials have since launched a probe into the compromised data in order to ascertain how it made its way onto an unprotected Amazon cloud server hosted in the United States. Reports indicate electronic markings are installed into each copy of the voter list which should help to identify either the source of the leak or, at the very least, who was last in procession of the data. It has also been claimed only people with 'legal access' could have obtained the records in question.
Ciro Murayama, another official working for the INE, told local radio in Mexico a suspected source had been uncovered but could not be named until the probe was completed. Additionally, he denied the leak was a result of lax security on behalf of the INE and echoed other accounts by placing blame on a political party.
In a statement issued following the leak being made public, the Institute said it had filed a criminal complaint with Mexico's Special Prosecutor's Office for Electoral Crimes (FEPADE) and the cyber division of the national police.
Meanwhile, according to René Miranda Jaimes, executive director of the Federal Register of Voters, a fork of the INE, the case highlights 'spectacular security holes' in the current political and legal systems in Mexico. "On one hand we have to safeguard the confidentiality of the information, but on the other hand we have to give a complete copy to political parties," he told Motherboard. "That information shouldn't be public. Political parties need to be responsible and avoid compromising this data."
It remains unclear how long the data had been out in the open or how many people had accessed it. Officials have confirmed the database contained a full list of voters from February 2015 but claimed it contained a number of duplicate entries leaving the actual number of compromised records at just over 85 million.
As the researcher who uncovered the database noted, this is a serious breach of data that carries a potential sentence of up to 12 years in prison under Mexican law. "I can only imagine what fury will ensue now that anyone in the entire world could have potentially downloaded it," Vickery said. "I mean, I'm just some guy in Texas... and I have it."
In another election-based security breach, a recent leak at the Philippines Commission on Elections (Comelec) exposed information on up to 55 million voters in the region. The leaked data included not only personal details but also passport numbers and even fingerprint records. In the subsequent investigation, law enforcement announced the arrest of a man in his early twenties in relation to the hack.