In the morning of April 14, Chris Vickery, a security researcher, was browsing Shodan, a search engine for internet-connected devices and servers, when he noticed an unusually large database of more than 100 gigabytes on an Amazon cloud storage called “padron2015.”
As it turned out, the database contained the personal information, including full names, home addresses, and national identification numbers, of virtually all registered voters in Mexico. The information had been left completely open to anyone, as there was no passwords or any other protection on it.
Videos by VICE
“This is a voter registration database for the country of Mexico,” Vickery, who works as a security researcher at MacKeeper, recalled telling himself. “Holy cow! This shouldn’t be out there.”
“Kidnapping is a considerable problem in Mexico, and allowing cartels to download copies of this database could prove disastrous.”
The Mexican electoral authority, the Instituto Nacional Electoral or INE, confirmed that the data was legitimate on Friday. The database was the “Padron Electoral,” a list of all Mexican registered to vote as of February 2015. The list had been distributed to all Mexican political parties last year, following standard local electoral regulations, according to René Miranda Jaimes, the executive director of the Federal Register of Voters, part of the INE.
“We have some spectacular security holes in our law,” Miranda Jaimes told Motherboard in a phone call. “On one hand we have to safeguard the confidentiality of the information, but on the other hand we have to give a complete copy to political parties.”
Miranda Jaimes explained that their database is completely offline, disconnected from the internet, and when the INE delivers it to the parties it sends the list in hard drives, CD-ROMs or USB drives. He also said that while the database found by Vickery is made of 93.4 million entries, the number of registered voters last year was around 80 million.
After Vickery reported the existence of the database on the Amazon cloud server to the Mexican authorities, the data was taken down on Friday morning. It’s unclear if anyone else other than Vickery accessed and downloaded the data, but it was out there, for anyone to see, for days, perhaps weeks or even months. Vickery, who recounted his attempts to report this issue and get the data down in a blog post on Friday, said that an online search engine showed that a database on the same IP address was available since September 2015.
It’s unclear who uploaded the data on the Amazon server, but Miranda Jaimes said that when the INE usually distributes the data, it watermarks each copy with different bogus data, so investigators should be able to identify the party that uploaded it or at least lost control of it.
“We have some spectacular security holes in our law.”
“That information shouldn’t be public,” Miranda Jaimes said. “Political parties need to be responsible and avoid compromising this data.”
The INE launched an investigation and filed a complaint after discovering the database. Whoever is responsible for leaking it could receive a jail sentence, according to Mexican law. Moreover, the data is potentially very sensitive.
“Kidnapping is a considerable problem in Mexico, and allowing cartels to download copies of this database could prove disastrous,” Vickery wrote in his blog post.
This is not the first time Mexican voters’ data was leaked online. In 2013, a website called buscardatos.com obtained another voters’ database from 2010. The site allowed anyone to find people’s personal information by entering someone’s name. Earlier, in 2003, data broker ChoicePoint sold Mexican voters’ data to the US government.
And it’s not just Mexico who’s losing potentially sensitive data about its citizens. Vickery himself found a database of 191 million US voters last year. And just a few weeks ago, hackers breached the electoral authority in the Philippines, stealing personal data of 21 million people, including 5.6 million fingerprints.
That’s why Vickery said he was “surprised” when he found the database.
“I figured everybody would be clamping down on their countries’ data now that it’s starting to become an issue,” Vickery told me in a phone call. “But I guess we’ll see more of these.”
This story has been updated to remove the word “hacker” in reference to Chris Vickery.