A recent listing on a popular forum claimed to be offering the entire Mexican voter database for 2021 — 91 million records.
The data was formatted with the following fields:
“CVE”,,”NOMBRE”,”PATERNO”,”MATERNO”,”FECNAC”,”SEXO”,
“CALLE”,”INT”,”EXT”,”COLONIA”,”CP”,”E”,”D”,”M”,”S”,”L”,
“MZA”,”CONSEC”,”CRED”,”FOLIO”,”NAC”,”CURP”
In response to the listing, Alon Gal (@UndertheBreach) commented on Twitter that this was the second breach involving Mexico’s Instituto Nacional Electoral (INE). He pointed readers to this site’s 2016 reporting on an earlier incident uncovered by Chris Vickery. That incident involved 93.4 million voters that turned out to be a leak of the copy of the database that had been provided to Movimiento Ciudadano. Movimiento’s response to the incident was to try to claim that Vickery had hacked them, but both Vickery and Amazon AWS services appropriately denied their attempt to shift blame.
Almost two years later, Movimiento Ciudadano was fined 34.1 million pesos (USD $1.8m) by the complaint commission INE for negligence in failing to properly secure the list.
Then Came the Second Leak
But that 2016 leak was not the only leak that Vickery found back then. He also discovered a second and smaller leak of voter information impacting more than 2 million voters in the Sinaloa area.
That second leak turned out to be the responsibility of PRI (Partido Revolucionario Institucional). As with the first leak, however, this leak, too, appeared to be hosted on Digital Ocean, even though under Mexican law, it was illegal for the data to be hosted out of the country.
Then Came the Third Leak or Incident and Maybe a Fourth?
In discussing the newest incident involving the voter database posted for sale on a forum, DataBreaches.net learned that a whitehat researcher had discovered an exposed database of Mexican voters last year. That database had approximately 87.8 million voters’ information on it and was hosted on OVH SAS.
The researcher contacted OVH who reached out to their customer about the unsecured MongoDB and the data were secured, but the researcher never found out the identity of the customer.
This same researcher also informed DataBreaches.net that they had observed someone trying to sell what might have been the same database last year. It’s not yet clear to DataBreaches.net whether the database they saw for sale last year was identical to the one they had found. This post may be updated on that point if clarification is received.
And Now There’s a Fourth Incident — Or is That the Fifth?
Based on the details provided in the forum listing at the top of this article, there has been yet another security incident — perhaps another leak, but the source is not yet known.
At some point, these may have all been “leaks” or unintended exposures. But at some point, at least two of these became breaches because data were being given away as samples or sold.
DataBreaches.net sent a DM on Twitter to INE to alert them that there was also a previously unreported incident in 2020 that they should also look into.
If the voters’ database is supposed to be protected, then it might appear that the government has failed to do so — repeatedly — by failing to ensure that those who have legitimate access to the database secure it properly. But is this really the government’s fault? There’s a lot we do not know at this point, but that should be investigated.