93 Million Mexican Voter Database Exposed On Amazon Cloud - InformationWeek
IoT
IoT
Cloud // Infrastructure as a Service
News
4/26/2016
10:05 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

93 Million Mexican Voter Database Exposed On Amazon Cloud

A MongoDB database filled with the personal information of 93 million Mexican voters was found configured improperly on the Amazon cloud. The incident raises issues of how information is protected in the cloud.

10 Cloud Jobs In Highest Demand Now
10 Cloud Jobs In Highest Demand Now
(Click image for larger view and slideshow.)

If you're wondering what can go wrong with putting your data in the cloud, the example of the Mexican National Electoral Institute (INE) may be instructive.

INE maintains a database of 93 million voters in Mexico with all the personal information that qualifies them for a government ID and to vote. It makes copies available -- to whom and under what circumstances is not clear -- and one of them was stored by its owner in MongoDB on the Amazon EC2 cloud. The owner has not been identified.

Chris Vickery, a security researcher who works for a Macintosh software company, MacKeeper, discovered the database and found he needed no credentials to get into it and examine the data. No authentication procedures had been placed on it to restrict access to its owners, nor had the data been encrypted.

Vickery notified ArsTechnica of the existence of the database on April 14, according to an April 25 article that appeared on the site's UK edition.

(Image: stockcam/iStockphoto)

(Image: stockcam/iStockphoto)

Several days later, Vickery told a Harvard University audience about his experience during a speaking engagement. Vickery, along with a Mexican citizen and a journalist in attendance, attempted to notify Mexican authorities of the exposure. Vickery took the Mexican citizen to the database after his talk and looked up the name of his father. The address displayed corresponded to his family's, as did other personal information, according to The Register's report in the UK.

Vickery initially had only been able to guess that he was looking at a database of Mexican voter information.

Amazon was notified of the exposure April 21, and the company notified the MongoDB system owner that knowledge of its unprotected database had been made public. It was taken down by April 22.

Although it's being described as a massive database leak or breach in some quarters, there's no direct evidence that anyone stole information from the system or downloaded it for their own purposes. It couldn't be accessed as a URL over the Internet.

Vickery activated a MongoDB client and went to its IP address, which he found using the Shodun search engine. Shodun can be used to locate Internet-attached devices and identify IP addresses. Vickery used the default port invoked by MongoDB -- port 27017 -- in the Shodun search engine to come up with the IP address, then used it in the MongoDB client.

"There really was nothing special about the search terms. It was just a stroke of luck that I saw it and followed up," Vickery told ArsTechnica.

Learn to integrate the cloud into legacy systems and new initiatives. Attend the Cloud Connect Track at Interop Las Vegas, May 2-6. Register now!

Notified of the existence of the system, The INE issued a statement in Spanish that the BBC translated as saying the institute "watermarks" copies of the data sets it issues so they can be traced to their owners. It threatened to pursue the owner for breaking the law if the data prove to have been used improperly, according to the translation.

Amazon Web Services issued a brief statement on the incident saying that it had notified the owner of the system as soon as it received word about its discovery, and that it was removed soon afterward. Amazon regularly advises customers that it will take responsibility for the security of the cloud infrastructure, but they must take responsibility for the applications they run on it.

"The promise of the cloud is to deliver rapid value, and bring increased levels of efficiency and agility. However, as evidenced by this incident, this has to be balanced with clear support for monitoring and governance by companies that consume the cloud," said Rohit Gupta, CEO and cofounder of Palerra, a cloud security firm.

He said, in an email message, that proper configuration of MongoDB systems in the cloud would have kept out prying eyes, and that encryption of the data would have prevented any identity theft if someone still got in. He urged the monitoring of something like a large MongoDB data system in the cloud, with an audit trail of any system administrator activity.

"Security monitoring and governance does for the cloud what air traffic control does for airplanes; it prevents catastrophic outcomes," he said.

Charles Babcock is an editor-at-large for InformationWeek and author of Management Strategies for the Cloud Revolution, a McGraw-Hill book. He is the former editor-in-chief of Digital News, former software editor of Computerworld and former technology editor of Interactive ... View Full Bio

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Susan Fourtané
50%
50%
Susan Fourtané,
User Rank: Author
4/28/2016 | 5:34:57 AM
Re: When is a breach not a breach?
Charlie, 

That's the problem, that no one can know with certainty that it did get taken down quickly enough. 

This is the main problem I see: 

"INE maintains a database of 93 million voters in Mexico with all the personal information that qualifies them for a government ID and to vote. It makes copies available -- to whom and under what circumstances is not clear --" 


Do you have the knowledge of any other government making copies of such data available? 

-Susan 
Susan Fourtané
50%
50%
Susan Fourtané,
User Rank: Author
4/28/2016 | 4:54:55 AM
Re: AWS and the Cloud Services Learning Curve
Technorati, 

I don't see there was a breach in this case either.  It rather shows how important it is to configure properly, and most of all it's a clear example of what any security expert recommends: Always encrypt your data. Encryption is what determines how secure the data will be in the cloud. 

A cloud service provider is responsible for the cloud infrastructure security. But it's the responsibility of the cloud users to encrypt, protect, and secure their data. There is not too much science in that. 

So, the person who obtained the copy of the data had no idea about the basics of cloud storage when dealing with sensitive data. 

But, I believe the most important thing to question here is how and why the Mexican government allows anyone to have a copy of such data. This is not clear to me.

How can a citizen trust a government that makes it so easy for anyone to access the information of every single citizen? I believe that's the main issue here. Otherwise, this would have never happened. 

-Susan 
impactnow
50%
50%
impactnow,
User Rank: Author
4/27/2016 | 5:48:59 PM
Security not just a cloud issue
I think it's more of an issue of multi tenet cloud versus exclusive cloud. It is also just an overall security issue with both detection and prevention it could happen in any multi tenet cloud environment that is not well protected.
jries921
50%
50%
jries921,
User Rank: Ninja
4/27/2016 | 12:38:03 PM
That should make lots of news in Mexico
'Tis a pity those responsible will never have to face the voters, as in Mexico, nobody is allowed to be reelected.
IbarraSalas
50%
50%
IbarraSalas,
User Rank: Apprentice
4/26/2016 | 4:15:12 PM
Not-so-subtle Homework
A most peculiar case, yet I find myself agreeing with what was said in another post: I sincerely doubt there was an attempt of foul play or even a data leak, it just happens that whoever was responsible for keeping this particular copy in place didn't have the proper information on how to use the tools at hand, a shame, and slightly amusing.

Knowing this lovely country of ours however, its probably going to be kept under wraps and solved through official channels, away from most information center
Charlie Babcock
50%
50%
Charlie Babcock,
User Rank: Author
4/26/2016 | 2:52:47 PM
When is a breach not a breach?
Well said, Technocrati. I don't view it as a breach, either, although some may disagree. However, an unauthorized raid on the information was inevitable, if it didn't get taken down quickly. And we don't know for sure that none occurred. The bad outcomes could show up later.
Technocrati
50%
50%
Technocrati,
User Rank: Ninja
4/26/2016 | 2:32:14 PM
AWS and the Cloud Services Learning Curve

This is an interesting case of Data getting out.  I don't see this as a breech but rather shows how difficult it is to really  understand the mechanics of AWS MongoDB.   

The person who obtained a copy obviously did not understand the process well enough to apply security measures, which underscores the fact  that if one uses a Cloud based solution, there is still a learning curve to endure and security is not guaranteed until the effort is made to do so.

 

Mistakes can still be made of course, but the effort to understand how a service works is worth the embarrassment.

Register for InformationWeek Newsletters
White Papers
Current Issue
Cybersecurity Strategies for the Digital Era
At its core, digital business relies on strong security practices. In addition, leveraging security intelligence and integrating security with operations and developer teams can help organizations push the boundaries of innovation.
Video
Slideshows
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll