Overnight, I received a response from the INE with answers to some questions I had posed to them about a massive database leak of Mexican voter data. The leak had been discovered by MacKeeper researcher Chris Vickery.
Let’s begin with the government’s press release:
INTERPONE INE DENUNCIA POR USO INDEBIDO DE LA LISTA NOMINAL DE ELECTORES
- Se identificó en un sito de almacenamiento de datos de la empresa Amazon de Estados Unidos en internet, información correspondiente a una copia de la Lista Nominal de Electores
- Se realizó una denuncia ante la Fiscalía Especializada para la Atención de Delitos Electorales y se inició un procedimiento ante instancias internas
El Instituto Nacional Electoral (INE) interpuso una denuncia en contra de quien resulte responsable después de que identificara, en un sitio de internet, un archivo con datos de una copia de la Lista Nominal de Electores.
Apenas se conoció el hecho, la Dirección Ejecutiva del Registro Federal de Electores (DERFE) realizó las siguientes acciones:
- Verificó que los datos, en efecto, coincidían con los de la Lista Nominal de Electores entregada el 15 de febrero de 2015 para su verificación, como mandata el artículo 151 párrafo primero de la Ley General de Instituciones y Procedimientos Electorales.
- De inmediato inició gestiones para que se diera de baja del sitio de almacenamiento de datos de Amazon, ubicado en Estados Unidos la información de la copia de la Lista Nominal de Electores, lo que ocurrió la madrugada de este viernes 22 de abril.
- Se cotejó la información de la Lista Nominal publicada en el portal referido para identificar a qué copia entregada correspondía. Esos hallazgos se hicieron del conocimiento de la Fiscalía Especializada para la Atención de Delitos Electorales (FEPADE), de la Policía Cibernética y de la Unidad Técnica de lo Contencioso Electoral del INE.
- Desde el miércoles 20 de abril se presentó una denuncia de carácter penal ante la FEPADE y a la fecha también se inició un Procedimiento Ordinario
Sancionador a cargo de la Unidad Técnica de lo Contencioso Electoral del INE para que se impongan las sanciones que correspondan.
Por lo anterior, los datos de la copia de la Lista Nominal de Electores ya no son accesibles a través de internet y están en curso averiguaciones penales y administrativas.
Cabe señalar que no hay indicios de que en algún momento se vulneraran los sistemas de seguridad del Padrón Electoral y Lista Nominal, ni de intromisiones externas a la base informática del Instituto Nacional Electoral.
Para el Instituto Nacional Electoral el debido resguardo de la Lista Nominal y el Padrón Electoral es una prioridad y en cuanto detectan irregularidades se procede con firmeza, interponiendo las denuncias correspondientes para salvaguardar los datos de millones de mexicanas y mexicanos.
I had put the following questions to the INE, and Alejandro Andrade provided some answers, as below:
Who’s responsible for the database? Was it a political party who had legitimate
access to the database? If so, which party? If not, who put it on that IP address?
We started the investigation and legal actions, but we don´t have at the moment information to identify the persons involved. Although, we know is a copy of the database so it was given to someone who had legal access like the political parties. We haven´t been able to get access to the database logs or any other information from Amazon.
That’s important, because it means INE does not yet know whether the database was downloaded by anyone other than MacKeeper researcher Chris Vickery, and if so, by how many people. Why hasn’t Amazon cooperated with the Mexican government on this? Is it a First Amendment issue under our Constitution where an international process is required for them to provide the data?
Does Mexican law permit that database to be uploaded to a server outside of Mexico?
No. The use of the database is only for verification purposes. It is established in the law (Ley General de Instituciones y Procedimientos Electorales, Article 148, second paragraph).
For how long was that database exposed on Amazon?
We don´t have the information yet and we don´t know if Amazon is going to share information with us that can let us know that. We have taken legal actions so that the corresponding authorities help us to get more information.
Do access logs show how many times the database was accessed or downloaded?
We don´t have the information yet and we don´t know if Amazon is going to share information with us that can let us know that. We have taken legal actions so that the corresponding authorities help us to get more information.
Will there be any consequences for the entity that uploaded it to Amazon and left it unsecured?
Yes. The Institute has a legal procedure that can punish this actions besides the legal actions that can be taken from other authorities. We are doing our investigation to identify the persons involved.
Does the govt have any evidence suggesting that the data were being sold on the black market?
No, we don´t have any evidence at the moment.
Was this is the official 2015 padron? Your previous email suggested the numbers didn’t quite match by a matter of millions. What did you find out?
Yes, the investigation has let us know that it is the voters registration list that was legally given attending to article 151 of the Law. The number of registries doesn´t match, but the information we gathered has let us confirmed it.
What else is IFE/INE doing at this point in response to this incident?
A few weeks ago, the Institute´s General Council agreed to limit the information that is given in accordance to the Law. In this agreement for the voters list for this year´s elections, the address and other personal data was not included. There is a new agreement on the information related to personal data that is given in accordance to the law that will be discussed next week.
Kudos to the government for calling a press conference and responding so promptly. And kudos to them for having the foresight to set some “tracing marks” on any copy given out so that they can identify the person to whom the list was given and when. American readers will remember Chris Vickery, Salted Hash, and DataBreaches.net were never able to identify the source of a leaky database with data on 191 million American voters.
Even though the government is still in the investigative stage, it sounds like Mexican citizens will eventually get an answer as to who was responsible for this leak.
Update: See my post wondering what the criminal charges actually are.
TY for the great reporting and follow-ups!
I’m at a loss in regards to yahoo, yet in a way I expected this of them.
What does Yahoo have to do with this?? But thanks for the kind words on the reporting!
Just a heads up – the link to this page in “Update 4” on the original story is broken
Oops. Fixed it – thank you so much!