DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Movimiento Ciudadanos continues to claim it was hacked despite evidence of leak

Posted on April 30, 2016 by Dissent

What Mexican political party Movimiento Ciudadanos is saying in the wake of a massive data leak is just so inconsistent with available evidence that DataBreaches.net will continue to try explain to the public what the available evidence actually shows.

As part of efforts to properly inform the Mexican public about a massive leak involving their information, this site posted statements from Amazon that confirm MacKeeper security researcher Chris Vickery’s claims that the database was exposed. There has been no evidence provided to indicate there was any hack that resulted in the exposure, as Movimiento Ciudadanos now tries to claim. All available evidence indicates that the exposure was due to the database not being configured (secured) properly by the party or its contractor, Indatcom. It is not clear from available information whether it was actually Indatcom’s responsibility to properly configure the database and to monitor its security. It definitely wasn’t Amazon’s responsibility to configure the database.

DataBreaches.net has provided  a password-protected file for journalists who would like to see proof that the database was exposed and easily accessed without any password required. Journalists can email DataBreaches.net or DM this blogger on Twitter (@pogowasright) to request the password to access that file.

Today, DataBreaches.net will focus on Movimientos Ciudadanos’s recent tweets that are contradicted by available evidence.

In numerous tweets, the party continues to claim that its copy of the voter list was “hacked” while it was on Amazon cloud services. It claims that Amazon supports that claim. It now claims that they are not accusing Chris Vickery of hacking them (that’s an improvement), but that their criminal complaint is against whoever did hack them.

Realizing that some translations may be a bit tricky, I’m going to respond to just a few of their many tweets here.

Reiteramos que Movimiento Ciudadano no dio mal uso a la información del padrón, ni puso en riesgo la información de los mexicanos.

— Movimiento Ciudadano (@MovCiudadanoMX) April 29, 2016


My translation: We insist that the cyberattack we suffered allowed a security expert to find our data.

and 

We reiterate that citizen movement did not misuse the information in the register, or put at risk the information of Mexicans.

What cyberattack? Where’s the evidence showing any intrusion or cyberattack? Movimientos Ciudadanos has provided no evidence to support that claim. The database’s access logs – if there even are any – should show what really happened.  So far, all we’ve seen is proof (from Vickery, in the password-protected file) that the database was exposed/leaking because port 27017 was open. Leaving that port open was either a mistake or a poor decision. It almost certainly wasn’t the result of any hack, and if Movimientos Ciudadanos thinks it was, they should provide logs that prove that. DataBreaches.net thinks that there will be no such evidence found. 

As to not putting people at risk: Movimiento Ciudadano put the information of Mexicans at great risk of theft by failing to secure the database properly on port 27017. If Chris Vickery hadn’t notified authorities to alert them to what he had found freely available for the taking, how many others might have found the unsecured database and downloaded all that information on more than million citizens? 

De lo único que pueden responsabilizar a Movimiento Ciudadano es de haber sido hackeados. — Movimiento Ciudadano (@MovCiudadanoMX) April 29, 2016

My translation: The only thing Movimiento Ciudadanos should be held accountable for is being hacked.

The party should be held accountable for its decision to upload the database outside of the country, its failure to hire a real security firm to secure the database properly, and for not monitoring the database access logs to detect whether the database was being accessed by others. It should also be held accountable for putting the personal information of more than 80 million Mexicans at unnecessary risk of identity theft or harm by failing to encrypt the data.

Vickery y el supuesto comunicado de Amazon Web Services confirman que nuestras medidas de seguridad fueron vulneradas: No hay contradicción.

— Movimiento Ciudadano (@MovCiudadanoMX) April 29, 2016

My translation: Vickery and the supposed communication from Amazon Web Services confirm that our security measures were violated: there is no contradiction.

That is NOT what Vickery nor Amazon said. Maybe Movimientos Ciudadanos should try a different translator? Vickery said that there was NO security measures (medidas de seguirdad) preventing access to the database via port 27017. And Amazon confirmed that there was no security preventing that, which is how the data got out.

Nothing Amazon said suggests that Movimientos Ciudadanos was hacked. We only have the party’s claim that that’s what they were told by Amazon. Where’s the evidence of that when Amazon has not said that publicly?

There’s much more from Movimiento Ciudadanos on Twitter, and it all appears either seriously inaccurate or just flat out false. Hopefully, the INE will release its own investigative report that will reveal just how much security the database had – or didn’t have.

Giving the political party the benefit of any doubt about possibly lying to the public, maybe they truly don’t understand what happened. But even if that is the case – that they have been misinformed or misled, or they just don’t understand what they’re being told – Movimientos Ciudadanos needs to understand that this incident was totally avoidable and occurred because they did not secure the database properly or ensure that a contractor did.

And until they do demonstrate that they understand that and accept full responsibility,  they should not be allowed to upload a copy of any voter list to any server, anywhere, ever.

And yes, DataBreaches.net thinks this incident should result in sanctions of Movimiento Ciudadanos and a very serious monetary penalty.

Category: Breach IncidentsCommentaries and AnalysesExposure

Post navigation

← UK: Anger and resignations after Welwyn Hatfield Council security breach
Two more colleges report compromise of employee W-2 info →

3 thoughts on “Movimiento Ciudadanos continues to claim it was hacked despite evidence of leak”

  1. Jordana Ari says:
    April 30, 2016 at 1:47 pm

    I have been reading and following this data breach since the beginning. Anything I would have commented on has already been said in previous comments in the other blog posts.

    Not sure if this has already been said in a comment, but it seems like this could be banging your head against a wall until Movimiento Ciudadanos accepts full responsibility. I hope the constant reporting and blogging will help. It seems like you are all dealing with ‘thick dense hard-skinned’ heads .

  2. Anon says:
    April 30, 2016 at 11:18 pm

    Apparently, the twist that MC are putting [from their website at http://movimientociudadano.mx/federal/boletines/declaraciones-especialistas-seguridad-cibernetica-amazon-confirman-postura-movimiento-ciudadano ] is that (allegedly) Vickery and Amazon found the database unsecured because someone broke the security measures that they supposedly had installed… so by the time Vickery found the database exposed, MC says that someone previously had breached the database before and exposed it. And they say that confirms that they were effectively hacked since “there’s no contradiction”.

    About them being meaningfully punished, I’m not holding my breath for it. The green party (Partido Verde Ecologista) got sued some time ago for millions of pesos and yet they are still there as if nothing ever happened. Of course, since they are allies with the PRI, and since our president is from that party…

    1. Dissent says:
      May 1, 2016 at 8:02 am

      Yes, I’m aware of their latest claims/version of events. They’ve offered no proof of any hack, of course.

      I do think they will get hit with sanctions and a fine by INE. From my communications with INE, they are very serious about this. As to “criminal” charges, well, I’m not sure I understand what the “crimes” are and whether the government can really make that case.

Comments are closed.

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Nigerian National Sentenced To More Than Five Years For Hacking, Fraud, And Identity Theft Scheme
  • Data breach of patient info ends in firing of Miami hospital employee
  • Texas DOT investigates breach of crash report records, sends notification letters
  • PowerSchool hacker pleads guilty, released on personal recognizance bond
  • Rewards for Justice offers $10M reward for info on RedLine developer or RedLine’s use by foreign governments
  • New evidence links long-running hacking group to Indian government
  • Zaporizhzhia Cyber ​​Police Exposes Hacker Who Caused Millions in Losses to Victims by Mining Cryptocurrency
  • Germany fines Vodafone $51 million for privacy, security breaches
  • Google: Hackers target Salesforce accounts in data extortion attacks
  • The US Grid Attack Looming on the Horizon

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • California county accused of using drones to spy on residents
  • How the FBI Sought a Warrant to Search Instagram of Columbia Student Protesters
  • Germany fines Vodafone $51 million for privacy, security breaches
  • Malaysia enacts data sharing rules for public sector
  • U.S. Enacts Take It Down Act
  • 23andMe Bankruptcy Judge Ponders Trump Bill’s Injunction Impact
  • Hell No: The ODNI Wants to Make it Easier for the Government to Buy Your Data Without Warrant

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.