DataBreaches.net is not alone in being outraged that in response to a massive data leak that put the information of 87 million Mexican voters at risk, Movimiento Ciudadano appears to be falsely claiming that the voter data list they stored on Amazon cloud was “hacked.” The political party has been repeating that false claim on Twitter and in the media, and has claimed to have filed a criminal complaint against Chris Vickery for allegedly hacking them.
Instead of being grateful that Vickery noticed that they had not secured their database and then spent a lot of time trying to identify them and alert them so that they could secure it, Movimiento Ciudadano is blaming Vickery and telling the public that Amazon told them that the database had been “hacked” or the victim of a “cyberattack.”
Movimiento Ciudadano is either incredibly ignorant or liars. Amazon told them no such thing.
Chris Vickery contacted Amazon last night to ask what they had actually said to Movimiento Ciudadano or its vendor, Indatcom. He received the following statement from Amazon.
All AWS security features and networks did, and continue to, operate as designed. Once AWS was notified that an unsecured database containing sensitive information was being hosted on the AWS Cloud and was publicly accessible via the Internet, we followed our standard security protocols and have since confirmed that this database is no longer publicly accessible. Customers who have questions about security best practices can find information at our Security Resources page (http://aws.amazon.com/security/security-resources/).
In other words, when Amazon learned (thanks to Vickery’s efforts) that the database was open to the public without security, they contacted the database owner to alert them to take it down so they could secure it properly. Amazon made no allegations of hacking or cyberattack – it simply informed the political party (through Indatcom?) that the database was publicly viewable and accessible when it shouldn’t be and they should take it down.
The Mexican branch of Amazon went even further in their statement to Mexican media:
Amazon México respondió que la información subida por Movimiento Ciudadano fue “almacenada de una manera no segura en la nube de Amazon Web Services”. Carecía de contraseña y estaba visible en internet, dijo su gerente de Relaciones Públicas, Julio Gil.
Dante se deslinda de hackeo; dice que Indatcom contrató a Amazon
Note that Amazon’s Julio Gil is correctly stating that the data was stored in an unsafe manner and that there was no password required, and it was visible on the internet.
And while Indatcom may have made arrangements to host the database on Amazon cloud, Amazon had no responsibility to secure the MongoDB database. Amazon had no role in the configuration of the database and the decision or error that left port 27017 open. That was solely on the political party or whoever they hired to secure the database.
Motivation to Blame or Lie?
DataBreaches.net understands that in 2013, Movimiento Ciudadano was fined over another data leak involving voter information that was found up for sale. It would be understandable that they do not want to be responsible for this newest incident, but they are responsible for this incident, and the Mexican public needs to understand that.
Movimiento Ciudadano has yet to disclose the access logs for the database. If and when they do, the Mexican people will learn that there was more than one IP address that accessed the voter list. Elsewhere, Dante has claimed that Chris Vickery was the only person to access the database. DataBreaches.net is aware that at least six IP addresses accessed the database. How can Movimiento Ciudadano claim Vickery was the only one to access it if there were at least six IP addresses that accessed it? Is he claiming Vickery was all six IP addresses? And how many other IP addresses accessed it? Movimiento Ciudadano needs to be more transparent about what its logs show.
Movimiento Ciudadano should stop misleading or lying to the Mexican people.
As one commenter on this site wrote in response to some of my earlier reporting on the data leak:
Disgraceful excuse of a political party. Here’s their attempt at covering themselves up translated. Oh, and on behalf of the Mexican people I’d like to apologize to Chris Vickery that has been now apparently made the target of politicians trying to justify themselves
Disgraceful, indeed. The Mexican people owe a debt of thanks to Chris Vickery.
I don’t know if Chris can sue Movimiento Ciudadano for defamation, but he might want to look into that. At the very least, the party should issue a public retraction and apology for their false claims about him. And the Mexican people need to know that they are being lied to by the political party who is responsible for the data leak.
Update: The Mexico Daily News has picked up the story.
Update 2: SonTusDatos has written about the questions that need to be answered (ES).
HA ! Sum it up. If the Movimiento Ciudadano cannot secure privileged information, they are probably internally unstable as well. Whom ever the wackos are internally thinking that its a good think to put sensitive data of an entire country on another country’s server is a fail. Add in that they accuse the person who is trying to SECURE the data in the first place, is another strike.
Sue Movimiento Ciudadano? What about SLAP? I wonder if they have any entities what so ever on US soil? I am sure there is some sort of satellite company or other assets.
Now that Movimiento Ciudadano have themselves exposed to their fail, they are trying to take everyone else down with them. It just goes to show you what really sits internally in that so called company.
I seem to have implemented a new policy. If entities try to “shoot the messenger” by blaming them for their own security failures, I will shoot back and expose their lies.
I’m surprised you haven’t also been sued as co-hacker conspirator messenger extraordinaire (or other made up thing) in order to deflect responsibility.
I may demand that they sue me. 🙂
Political parties like Movimiento Ciudadano or Partido Verde are private owned buisnesses. In México, political parties recieves money from the government to cover their expenses. If you are able to create your oun party then you get free money every year and there’s no working mechanism to make sure you use that money for what you should. They also serve to the noble purpose of dividing opposition voting against the ruling party. With 3 or more little parties like them, the real oppossition won’t get enough votes to get elected.
It is so sad when we see a lack of knowledge in technology stuff, but it´s more sad when we see people, taking advantage of that lack of knowledge for themselves, and trying to cheat the people saying things like that. And, like Dante (Movimiento ciudadano’s leader) says on his speech making an analogy: It’s like renting a house, the owner of the house has no responsibility for putting a police officer o a guard in the house, or even putting a safe on it, it’s the people who rent the house to secure it, or mounting a CCTV for that matter, but when I left my door open, and try to blame others for that, it’s a shame.
Feel free to point Mexican citizens or Mexican news outlets to my post. The truth needs to get out.
At least apparently the INE knows even the exact person that leaked it according to this: http://elhorizonte.mx/mexico/politica/631124/lista-de-mc-no-tenia-ningun-mecanismo-de-seguridad-ine
The interesting bit:
Córdova commented that they already knew that the responsible party was Movimiento Ciudadano, even the specific person that received the information, thanks to the digital watermark that the INE installed as a security measure and that worked.
“This matter has not been closed by the party’s declarations, quite the opposite, everything they said is part of the record and will be part of the investigation that will end with an exemplary punishment to the responsible parties of the data breach that exposed the data of the Mexican citizens”.
But, Dante Delgado (MC’s leader) is not convinced. He says (on interview for Grupo Imagen Multimedia apparently; http://peninsulardigital.com/nacional/creen-nos-hackearon/194534):
“The man that says that (Chris Vickery; referring to Vickery’s findings about the DB not being secured and that he didn’t had to hack anything) knows that he infiltrated the lock (Amazon’s cloud), he knows he cracked it and wants to say that he just found it but that’s false”.
Mr. Delgado is also affirming that Vickery’s “a very lucky man” because “he also accessed the US’ voters database”.
(from http://www.revistainferno.com/noticia/9275)
“He’s someone professional that lends services and after his interview he keeps offering services… it’s always on my head.”
Defaming someone in that way by inventing dangerous accusations against (especially the accessing the US voters DB bit) them and having no consequences is something that can only happen over here sadly. A shame that clown can’t be sued and put off to do real work, instead of blaming others for his faults.
Hey, it gets more interesting. Indatcom has apparently, as usual over here in Mexico, a rather bad record too.
Indatcom has been working for MC since 2010. They advertise themselves as a “Mexican enterprise focused on tech services and digital marketing, specialized on social media analysis, web advertising, web page development and social media apps.”
Indatcom’s CEO, Ismael Sánchez Anguiano, is the general director of Producciones Elide y Sonofilia, a company that organized fraudulent events in Jalisco in 2010.
Sánchez Anguiano’s companies, whose address is Calle 6 de Diciembre Number 2025, Jardines del Country, Guadalajara, Jalisco, Mexico have received thousands of pesos in contracts with MC.
Indatcom’s bill for their wonderful database leaking services in 2015 totaled $127,582.76 MXN ($7,392.1894 USD) per month. That fee includes Livestreaming services, general web administration and licenses for Zendesk and Google Apps.
MC’s claims about Vickery are just flat-out lies.
I’ve collaborated with Vickery since last year on a number of his discoveries. Sometimes he can reach entities to notify them. Other times, if he’s having trouble figuring out whom to notify or is having trouble getting a response, I’m the one who winds up notifying the company or entity to get a database secured. In a few cases, Steve Regan of CSO has also been involved and has helped track down a database owner to notify them they’re leaking.
With the U.S. voter database, after Vickery found it, he contacted me to help figure out whose it was and whom to notify, as of course, all we had was the IP address and Amazon wouldn’t tell us who owned it. So we contacted the FBI and the U.S. Secret Service, and we cooperated with the Secret Service to try to get that database secured. They were very grateful for our assistance, as was the state of California. No one here ever accused him – or me – of “hacking” that database, which he found exactly the same way – by a search of Shodan. If it took *days* for MC to find out that they had a leak, that’s only because we had no idea whom to contact, it’s not easy to get through to Amazon to get them to take action promptly, and the Mexican embassy sent Chris’s email to their spam folder.
Finally: I’ve never known Vickery to try to sell an entity his services when notifying them of a leak – we just tell the entity that their database is exposed, we tell them what the IP address is, and we tell them that they have port 27017 open. No offer to sell services. Vickery has a full-time job already, and I have no services to sell. 🙂
” and the Mexican embassy sent Chris’s email to their spam folder.”
Sheez, reminds me of the time I contacted crime-stoppers for you in Canada because they had peoples personal info and “crime reports” in the open. They were denying and refusing to accept it. Then their IT guy send a nice ty email much later after trying and failing w/ regular contacts.
Amazon needs to step up to the plate and the “data owners” routes of contacts need to be better addressed for security/breach issues. This is not a country or entity specific issue. It’s a wide laissez-faire attitude and in some cases, such as this one, deflection and blame is the name of the game instead of accepting responsibility for the data protection they are charged with.
But, what do I know. I’m just a plebe in need of coffee.
I plan to follow up on the Amazon contact issue, and have already told Chris we need to follow up on that. Although he’s making some inroads with them, it shouldn’t be this difficult, and the next person down the road wouldn’t know how to get through to someone quickly to get results faster.
Once Chris notified Amazon, how long should it take them to identify which customer’s account is linked to the IP address and to notify them of a problem? I don’t think it should take that long and they need an escalation process.