The personal information of more than 2 million Mexicans was found online last week by the same man who recently discovered a previous data breach exposing the voting registration records of 93.4 million Mexicans.
Chris Vickery, an internet data-breach researcher for MacKeeper, told Fusion he found a new database with over 2 million entries through the search engine Shodan.io. He said he found the database through a “random search,” similar to the one that previously lead to his March discovery of an open Amazon server hosting addresses, names and other personal information for more than 70% of Mexico’s population.
Vickery said the new database was hosted on a server owned by U.S. company Digital Ocean, which offers online storage and transfer solutions to clients. Vickery says he again alerted Mexico’s electoral authority, INE, which launched an inquiry and confirmed that the voting registry for the northern state of Sinaloa had been exposed online.
The database was taken down by Digital Ocean last Friday. The company did not immediately respond to Fusion's request for comment.
Mexican officials have launched an investigation into how the breach happened.
“I think the sudden appearance of multiple [voter registry] databases is a symptom of giving out too many copies,” said Vickery. “I think the INE is making good changes in the future by not allowing so much information to be so widespread.”
Vickery’s first discovery prompted INE to issue new regulations, such as limiting the type of information they provide to political parties to protect voters' home addresses.
Mexico’s electoral authority denied in a press release its security system had been hacked. It said the online leaks are simply copies of databases that the agency provides to all of Mexico’s political parties.
The massive leaks come as 13 state governorships, including Sinaloa, are up for grabs in June. Whether the leaks constitute simple negligence or something more sinister, the twin dumps could be eroding public trust in INE’s ability to safeguard this data and hold political parties accountable for exposing it.