93 Million Mexican Voter Database Exposed On Amazon Cloud - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud // Infrastructure as a Service
10:05 AM
Connect Directly

93 Million Mexican Voter Database Exposed On Amazon Cloud

A MongoDB database filled with the personal information of 93 million Mexican voters was found configured improperly on the Amazon cloud. The incident raises issues of how information is protected in the cloud.

10 Cloud Jobs In Highest Demand Now
10 Cloud Jobs In Highest Demand Now
(Click image for larger view and slideshow.)

If you're wondering what can go wrong with putting your data in the cloud, the example of the Mexican National Electoral Institute (INE) may be instructive.

INE maintains a database of 93 million voters in Mexico with all the personal information that qualifies them for a government ID and to vote. It makes copies available -- to whom and under what circumstances is not clear -- and one of them was stored by its owner in MongoDB on the Amazon EC2 cloud. The owner has not been identified.

Chris Vickery, a security researcher who works for a Macintosh software company, MacKeeper, discovered the database and found he needed no credentials to get into it and examine the data. No authentication procedures had been placed on it to restrict access to its owners, nor had the data been encrypted.

Vickery notified ArsTechnica of the existence of the database on April 14, according to an April 25 article that appeared on the site's UK edition.

(Image: stockcam/iStockphoto)

(Image: stockcam/iStockphoto)

Several days later, Vickery told a Harvard University audience about his experience during a speaking engagement. Vickery, along with a Mexican citizen and a journalist in attendance, attempted to notify Mexican authorities of the exposure. Vickery took the Mexican citizen to the database after his talk and looked up the name of his father. The address displayed corresponded to his family's, as did other personal information, according to The Register's report in the UK.

Vickery initially had only been able to guess that he was looking at a database of Mexican voter information.

Amazon was notified of the exposure April 21, and the company notified the MongoDB system owner that knowledge of its unprotected database had been made public. It was taken down by April 22.

Although it's being described as a massive database leak or breach in some quarters, there's no direct evidence that anyone stole information from the system or downloaded it for their own purposes. It couldn't be accessed as a URL over the Internet.

Vickery activated a MongoDB client and went to its IP address, which he found using the Shodun search engine. Shodun can be used to locate Internet-attached devices and identify IP addresses. Vickery used the default port invoked by MongoDB -- port 27017 -- in the Shodun search engine to come up with the IP address, then used it in the MongoDB client.

"There really was nothing special about the search terms. It was just a stroke of luck that I saw it and followed up," Vickery told ArsTechnica.

Learn to integrate the cloud into legacy systems and new initiatives. Attend the Cloud Connect Track at Interop Las Vegas, May 2-6. Register now!

Notified of the existence of the system, The INE issued a statement in Spanish that the BBC translated as saying the institute "watermarks" copies of the data sets it issues so they can be traced to their owners. It threatened to pursue the owner for breaking the law if the data prove to have been used improperly, according to the translation.

Amazon Web Services issued a brief statement on the incident saying that it had notified the owner of the system as soon as it received word about its discovery, and that it was removed soon afterward. Amazon regularly advises customers that it will take responsibility for the security of the cloud infrastructure, but they must take responsibility for the applications they run on it.

"The promise of the cloud is to deliver rapid value, and bring increased levels of efficiency and agility. However, as evidenced by this incident, this has to be balanced with clear support for monitoring and governance by companies that consume the cloud," said Rohit Gupta, CEO and cofounder of Palerra, a cloud security firm.

He said, in an email message, that proper configuration of MongoDB systems in the cloud would have kept out prying eyes, and that encryption of the data would have prevented any identity theft if someone still got in. He urged the monitoring of something like a large MongoDB data system in the cloud, with an audit trail of any system administrator activity.

"Security monitoring and governance does for the cloud what air traffic control does for airplanes; it prevents catastrophic outcomes," he said.

Charles Babcock is an editor-at-large for InformationWeek and author of Management Strategies for the Cloud Revolution, a McGraw-Hill book. He is the former editor-in-chief of Digital News, former software editor of Computerworld and former technology editor of Interactive ... View Full Bio

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Susan Fourtané
Susan Fourtané,
User Rank: Author
4/28/2016 | 5:34:57 AM
Re: When is a breach not a breach?

That's the problem, that no one can know with certainty that it did get taken down quickly enough. 

This is the main problem I see: 

"INE maintains a database of 93 million voters in Mexico with all the personal information that qualifies them for a government ID and to vote. It makes copies available -- to whom and under what circumstances is not clear --" 

Do you have the knowledge of any other government making copies of such data available? 

Susan Fourtané
Susan Fourtané,
User Rank: Author
4/28/2016 | 4:54:55 AM
Re: AWS and the Cloud Services Learning Curve

I don't see there was a breach in this case either.  It rather shows how important it is to configure properly, and most of all it's a clear example of what any security expert recommends: Always encrypt your data. Encryption is what determines how secure the data will be in the cloud. 

A cloud service provider is responsible for the cloud infrastructure security. But it's the responsibility of the cloud users to encrypt, protect, and secure their data. There is not too much science in that. 

So, the person who obtained the copy of the data had no idea about the basics of cloud storage when dealing with sensitive data. 

But, I believe the most important thing to question here is how and why the Mexican government allows anyone to have a copy of such data. This is not clear to me.

How can a citizen trust a government that makes it so easy for anyone to access the information of every single citizen? I believe that's the main issue here. Otherwise, this would have never happened. 

User Rank: Author
4/27/2016 | 5:48:59 PM
Security not just a cloud issue
I think it's more of an issue of multi tenet cloud versus exclusive cloud. It is also just an overall security issue with both detection and prevention it could happen in any multi tenet cloud environment that is not well protected.
Charlie Babcock
Charlie Babcock,
User Rank: Author
4/26/2016 | 2:52:47 PM
When is a breach not a breach?
Well said, Technocrati. I don't view it as a breach, either, although some may disagree. However, an unauthorized raid on the information was inevitable, if it didn't get taken down quickly. And we don't know for sure that none occurred. The bad outcomes could show up later.
InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

How SolarWinds Changed Cybersecurity Leadership's Priorities
Jessica Davis, Senior Editor, Enterprise Apps,  5/26/2021
How CIOs Can Advance Company Sustainability Goals
Lisa Morgan, Freelance Writer,  5/26/2021
IT Skills: Top 10 Programming Languages for 2021
Cynthia Harvey, Freelance Journalist, InformationWeek,  5/21/2021
White Papers
Register for InformationWeek Newsletters
Current Issue
Planning Your Digital Transformation Roadmap
Download this report to learn about the latest technologies and best practices or ensuring a successful transition from outdated business transformation tactics.
Flash Poll