All of Mexico's voters have had their personal information leaked online.
The details of 93.4 million voters, the entire voting age population of Mexico and 73 percent, the large majority of Mexico's 119 million citizens, were exposed online late last week.
The leak was spotted by Chris Vickery, a security researcher at MacKeeper, who first saw it on the morning of April 14th. He told SCMagazineUK.com “My initial reaction was to google some of the addresses in the database and figure out which country it belonged to. All of them turned up in Mexico, so I was fairly certain it was a Mexican citizen registration database of some sort.”
The tranche includes a host of personally identifiable information like addresses, dates of birth, voter registration numbers and names along with the names of family members.
Lisa Baergen, director at NuData Security told SC that “while no pictures or financial information were included, it is more than enough for fraudsters (or really anyone with access to the Web) to use maliciously. With this level of information, criminals have solid profiles that can be used to create new bank accounts, access existing accounts and so much more.” According to Baergen, of the last billion accounts that NuData Security analysed, over half were illegitimate or fraudulent.
The database was discovered on an Amazon AWS cloud server, with no password protection. According to Vickery, “The leak has been confirmed by the Mexican government to be the entire voter registration roll for the country of Mexico up until February of 2015.”
Vickery added, “It is everyone, not just part of the population. It's everyone.”
Strangely enough, Vickery said that the central store of information is not kept on a networked computer but stored on completely air gapped machines.
Alex Cruz Farmer, VP of Cloud at NSFOCUS IB told SC that the data wasn't even stored in Mexico. He told SC that “Mexico has quite strict data governance rules, whereby data must be kept within Mexico and, if it is exported for any reason, the data owner must have the authority of the data subject before the data can be exported. In this instance, it's clear that the data has landed on an Amazon Web Services server somewhere in the world. Knowing their geographical regions well, AWS today do not have any locations in South America.”
So how did the information of nearly the entire population of a large country get out into cyber-space?
Though Vickery believes the leak was accidental, he does admit it could have been intentional. The opportunity for such a large disclosure may have come when that information is taken off those machines.
The nine political parties of Mexico all get copies of the database via CD or USB drive. The most likely scenario, Vickery told SC, “is that some rogue staff person at one of those parties uploaded it for convenience sake and just neglected to put any sort of password or protection on it. However, I wouldn't be surprised if it was also tied to some sort of blackmarket transfer as well.”
“Well, as long as they are giving the lists to nine separate political parties, there are likely to be leaks. I think the easiest mitigation would be to simply not share so much information about every citizen. The list would probably be just as effective without the address included.”
The suspicion was echoed by Lorenzo Cordova Vianello told press he believes that one of the parties that the database was handed to was at fault. Speaking to the Scientific American, Vianello told Scientific American, “the fact that this database is published to the public, it is not just a criminal offence, it is a national offence”.
The Mexican electoral commission has apparently already launched a criminal complaint and reported the incident to the national cyber police.
The leak comes just weeks after a similarly large flood of voter details in the Philippines. COMELEC, the filipino electoral commission was breached only a couple of weeks ago resulting in the leak of 55 million voter records which were published online in a searchable format soon after.
Unlike COMELEC, the air-gapping of this information is a sure sign that the Mexican government take the security of voter information seriously, but some have not been so charitable, deeming this problem a serious lapse in security practices.
Justin Harvey, CSO at Fidelis Cybersecurity told SC that, “news of a second breach of voter data in just a few weeks is deeply concerning for citizens and begs questions over the security precautions being used by Government authorities to protect data.”
Harvey added that “the fact that a US security researcher was unable to inform the right people to get the data offline within hours of finding it, needs to be rectified.”Matt Middleton-Leal, regional director of UK and Ireland at CyberArk told SC that “a publically accessible database holding names, addresses, dates of birth and voter ID numbers from such a staggering number of people is highly concerning and points to significant flaws in security practices – not least in who had administrative access to such a vast pool of sensitive data.”