In yet another large scale breach of personal information, more than 93.4 million Mexican citizens have had their voter registration records exposed online.
The data was discovered by security researcher Chris Vickery on an Amazon cloud server without any password protection and includes 132GB of information including everything from ID numbers to home addresses.
Discovered on April 14th, the database was finally taken down on Friday, after Vickery reported the situation to the US State Department, DHS, the Mexican Embassy in Washington, the Mexican Instituton Nacional Electoral (INE), and Amazon.
It is one of the largest breaches of sensitive data ever recorded, with potentially grave consequences for those affected. Vickery immediately realised the seriousness of the breach: kidnapping is a considerable problem in Mexico, and allowing cartels to download copies of this database could give them the information needed to find victims.
Why a database with Mexican voters’ information was hosted on a server outside of Mexico, who uploaded it to Amazon, and why it wasn’t properly secured are questions in search of answers.
'Following the September 11th terrorist attacks, the United States, for whatever reason, acquired a similar database through a data brokerage firm known as ChoicePoint,' wrote Vickery. 'From what I’ve read, ChoicePoint managed to get ahold of the Mexican voter database in exchange for $250,000 back in the early 2000s.'
'When that story broke, citizens across Mexico were outraged that the US Government had the country’s private details. I can only imagine what fury will ensue now that anyone in the entire world could have potentially downloaded it. I mean, I’m just some guy in Texas… and I have it.'
While we don’t know whether this massive breach was done maliciously or carelessly, in an email to DataBreaches.net, the Instituto Nacional Electoral (INE) said the culprit of the breach must have had 'legal access' to the information.
Ryan Kalember, SVP, Cybersecurity Strategy at security firm Proofpoint said that the incident highlights the complexity associated with securing sensitive data.
'Stopping data loss requires a combination of effective technology and user education,' sais Kalember. 'Security teams must look beyond traditional places, like file shares and on-premise databases, when locating sensitive information and ultimately stopping loss. It’s time to extend the search for confidential information into cloud storage, social media, and even the dark web.'
Given that we are also on the cusp of major elections in the US and UK, we all need to sit up and take notice – this kind of personal information is a key target for hackers because identity fraud is a billion dollar business.
'It is still too early for more detailed analysis as we don’t have all the information, however the attack vectors commonly used to initialise attacks of this magnitude are to gain access by stealing employee or insider credentials,' said Brian Spector, CEO of cryptographic specialist MIRACL.
'The credentials are still all too often simply user name and password. What the attacker knows: when a password, irrelevant of how complex the password may be, is successfully stolen, the attacker can get access to internal systems and work their way to sensitive information – and steal it all.'
The underlying issue, said Spector, is that the username and password system is old technology that is not up to the standard required to secure the deep information and private services that we as individuals store and access online today.
'By contrast, new, secure methods of two-factor authentication can provide much stronger security, and make database hacks, password reuse, browser attacks and social engineering a thing of the past.'