The names and addresses of all 87 million Mexican voters were accessible on the Internet until early Friday, when authorities took action after a Texas-based security researcher alerted them to the vulnerability, Mexican election officials say. It is unclear when the list first became open to public view.
Chris Vickery, a Texan who said he found in December that he could view records on 191 million American voters, told Mexican authorities last week that anyone could view the Mexican voter information hosted on the cloud-computing site Amazon Web Services. The data lacked even the most basic security precautions such as a password, Vickery told the authorities.
Amazon Web Services did not immediately respond to telephone and email requests for comment Friday, but its website says it is up to customers to oversee the security of their stored data. “While AWS manages security of the cloud, security in the cloud is the responsibility of the customer,” the company writes. “Customers retain control of what security they choose to implement to protect their own content, platform, applications, systems and networks, no differently than they would for applications in an on-site datacenter.”
“The fact that this database is published to the public, it is not just a criminal offense, it is a national offense,” says Lorenzo Cordova Vianello, president of the Mexican National Electoral Institute, the body that organizes federal elections in Mexico. In a statement issued Friday, the Institute says it has filed a criminal complaint about the case with Mexico’s Special Prosecutor's Office for Electoral Crimes (FEPADE) and has notified the national cyber police.
Cordova says that under Mexican law, the Institute is obliged to share a copy of the national voter list with all nine political parties to prevent fraud. In an interview on Wednesday before the vulnerability was patched, he said he suspected one of the political parties of making the data available to the public. Mexican election officials have not named any suspects, but say markings on each copy of the voter rolls shared with the different parties may help identify the source of the breach. The list posted on the cloud showed more than 93 million names, but Cordova says it included some duplication as the latest voter rolls list about 87 million Mexicans. It was not immediately clear if anyone other than Vickery has accessed this information.
Vickery says he spends most of his evenings searching for database vulnerabilities on the Internet, in essence searching less-traveled areas for open doors that represent security threats. He then alerts responsible parties before going public with his discoveries. After a closed-door talk at Harvard’s Data Privacy Lab on Monday, Vickery showed this reporter how he could access the database by looking up the father of a Mexican student spending a year at the university. “Oh my God, I can't believe it, it's literally my address. It's literally everything,” said Santiago Fajer, an undergraduate engineering student, as he confirmed that the data was authentic. “You don't understand how many people are vulnerable because of this.”
Cordova says that publication of the database on the Internet violates Mexican law, and that it represents a real security threat in Mexico because of the country’s high incidence of kidnappings and other security-related crimes. As the list is supposed to contain all voters’ names, addresses, parents’ names and voter registration numbers, it would likely include those of potential kidnapping targets such as Mexico’s most famous celebrities, sports stars and politicians, along with millions of ordinary voters. “We have a crime issue. That is one of the main issues, that is one of the main structural problems of Mexican society, that is why this is a sensitive issue that this database is put in front of the society,” Cordova says.
Vickery, who has found a series of sensitive datasets stored openly in the cloud without any protections, says he discovered the Mexican vulnerability on April 14. “Mexicans should be very annoyed by it and they are going to be,” he says.
Fixing the vulnerabilities is often as easy as putting up a password or taking down the dataset, he says. On Friday afternoon Mexican election officials, impressed by Vickery’s sleuthing work, offered to pay for him to visit Mexico to discuss lessons from such vulnerabilities, according to an email officials also sent to this reporter.