Unprotected Database Exposes Details of 93.4 Million Mexican Voters

Posted by Alejandro A. Sánchez Mújica A.According to a series of recent news reports, a voter registration database containing the personal data of more than 93.4 million Mexican citizens was inadvertently (and temporarily) made public.  The unsecured database was reportedly uploaded by Movimiento Ciudadano, a political party in Mexico, to the  Amazon EC2 cloud, but the database was misconfigured to allow public access to the information.By Mexican law, all political parties must be provided with a copy of the database to verify its integrity. The lists provided to each party contain a watermark to identify the owner of the copy.  The political party that uploaded the database had just been fined $76 million Pesos (approximately $4.4 million dollars) for another leak of the voter information database that occurred in 2013.In addition to Mexico’s Federal Personal Data Protection Law (Ley Federal de Protección de Datos Personales), there are additional data protection provisions applicable for information held by the Mexican government.The reports additionally state that the Mexican National Electoral Institute (INE) has filed a complaint with Mexico’s Special Prosecutor’s Office for Electoral Crimes as to who might be found responsible, reviewing the responsibilities of the political parties, Amazon and others in this case. On the other hand Movimiento Ciudadano, the political party whose copy of the database was found unsecured, has stated that it has reason to believe that the individual who claims to have discovered the breach (a security researcher who works for the company MacKeeper) was the person who hacked the voter registration database.  As a result Movimiento Ciudadano has filed a complaint against him with Mexico’s Special Prosecutor’s Office for Electoral Crimes.