Private records of 93.4 million Mexican voters exposed in massive data breach
A leaky database, which was not password-protected, is said to contain Mexican citizens’ names, addresses, dates of birth, as well as occupations and the names of the voters’ parents, according to noted MacKeeper Security Researcher Chris Vickery. The database was reportedly downloaded to an Amazon server by an unknown party.
A 132 GB database, containing the personal information on 93.4 million Mexican voters has finally been taken offline. The database sat exposed to the public for at least eight days after its discovery by researcher Chris Vickery, but originally went public in September 2015.
Vickery, who works as a security researcher at Kromtech (the company behind MacKeeper), discovered the MongoDB instance on April 14, but had difficulty tracking down the person or company responsible for placing the voter data on Amazon’s AWS. He first reached out to the U.S. State Department, as well as the Mexican Embassy, but had little success. Vickery went public on the massive data breach via YouTube [here]
In my hands is something dangerous. It is proof that someone moved confidential government data out of Mexico and into the United States. It is a hard drive with 93.4 million downloaded voter registration records— The Mexican voter database.
As was explained on the Office of Inadequate Security, the database included “name, data of birth, mother’s and father’s last names, occupation, and their unique voting credential code (number/identifier). Mexico currently recognizes two types of voter cards. One contains OCR numbers; the other contains a different type of formatted identifier. This database, labeled ‘padron2015,’ appears to contain OCR numbers.”
This is a massive data breach and you might think someone would act quickly to lock it down, but Vickery says that’s not the way it went it down at all. Vickery reported the breach to the U.S. State Department and its Office of Mexican Affairs, but the database remained online. He eventually contacted the U.S. Secret Service, the Department of Homeland Security, and the U.S. Computer Emergency Readiness Team (US-CERT), the agency responsible for assessing cyberthreats against the nation. Corresponding with the U.S. government, however, did not result in the database’s removal.
“It was very difficult to get this taken down,” Vickery says. “I eventually went straight to Amazon and worked my way through their abuse reporting system.” Amazon’s automated system for reporting abuse was equally frustrating to navigate, Vickery said.
This really sounds like an episode of “faulty towers”. The database was uploaded in a matter of minutes, hours at most. It took over a week of pleading through all available channels to get it taken down.
More Here [DailyDot]