A massive data breach exposed personal info for 93.4 million Mexicans

What would you do if you accidently stumbled across a massive trove of data that included the personal information of nearly everybody in Mexico?

That’s more or less what happened to Christopher Vickery, a U.S. internet data breach researcher for MacKeeper, who came across a public access cloud that contained the voter registration data for more than 93 million Mexicans.

Vickery told Fusion he stumbled upon Mexico’s 2015 national voter registry on April 14 while using a search engine known as shodan.io, which “crawls the internet for things Google doesn’t find.”

“This wasn’t complicated. Anyone could have found this,” Vickery says.

The mysterious data leak contained the names, addresses and occupations of more than 70% of Mexico’s population. How it got posted online is still unknown. The country’s cyber crime police is investigating, but say they have identified the culprits, who are thought to be staffers from a Mexican political party that had access to the database.

Mexico’s electoral authority (INE) hasn’t revealed the identities of those behind the leak, or said how long the confidential data was publicly available online. But thanks to Vickery’s curiosity, that database has since been taken down.

The Mackeeper researcher said that he was browsing different internet ports when he found an Amazon cloud server with an unusually large database named “Padrón 2015.”

“It sounded like the tequila, Patrón, so I clicked on it,” he told me.

What he found there were over 93 million entries that looked like personal information records. “I took some Spanish lessons in High school so I knew basic words like nombre and domicilio,” he said.

Vickery Googled some of the addresses and concluded it was some sort of national database, so he notified the U.S. State Department, Homeland Security and the Mexican Embassy in Washington, D.C.

But Vickery got no response from the U.S. agencies, and a secretary at the Mexican Embassy apparently deleted his email from a spam folder.

Vickery, who first made headlines last year for finding voter information for more than 191 million American citizens had been exposed online, reported his Mexico data finding days later during a conference at Harvard University. After his talk, he was approached by a Mexican student who suggested he get in touch with Mexico’s electoral authority. Vickery emailed the agency on April 19 to inform them that their entire database had been leaked online. Three days later it was removed from the cloud.

Vickery says the reaction time was “decently fast,”considering the volume of the data leak.

“What probably happened is that INE gives copies of this database to the political parties in Mexico, and a [party] staff member could have put it up on the Amazon cloud for easier access or some other reason,” he speculates. “However, it could be that someone was selling it. That’s always a possibility. If you’re going to sell this much info it’s one of the easiest ways to get it into the buyer’s hands.”

Buying voter registries is not unprecedented. In 2003 a U.S. company known as Choicepoint reportedly purchased Mexico’s entire voter registration database for $250,000 and sold it to the U.S. government for unknown reasons.

“Exactly how the U.S. government is using the data is also unknown,” according to a 2003 article in The Guardian. “But since it focuses so heavily on Latin America, it would appear to have vast potential for those tracking down illegal immigrants. It could perhaps also be used by the U.S. drug enforcement agents in the region.”

According to Mexican data protection expert Hector Guzman, the recent breach of Mexico’s voter database could have “immediate repercussions on people’s’ security and their collective feeling of security.” Criminals or drug cartels could mine the data to discover the home address of people they’re targeting. Companies could also use the data for targeted ad campaigns or to make a buck from analytics. Identity theft is also a big concern.

But most likely the data leak was due to a rookie mistake rather than something more nefarious, Guzman says.

INE denies that the agency was hacked. Spokesman Alejandro Andrade told website databreaches it’s illegal to host this kind of data on a foreign server, but said the agency had no information regarding how many times the database had been accessed or if someone other than Vickery downloaded it.

“We are [most likely] looking at a huge error that very clearly shows the disregard many [Mexican officials] have for security in general, and specifically the personal data of citizens,” Guzman says.

Cybersecurity attacks on Mexican government institutions have increased sharply in recent years. Experts say the country is not properly equipped or prepared for hacker attacks.

Guzman says government officials are not obliged to inform citizens when their security has been breached. So many other cases could go unnoticed and unreported.

“We simply don’t know, through reliable and updated data, how our agencies have been attacked and if our personal data has been compromised,” he said.