Mexico launches criminal probe into theft of 87 million voter records

Mexican authorities have begun criminal proceedings into a data theft incident said to affect more than 87 million registered voters.

Mexico’s National Electoral Institute (INE) filed a criminal complaint on Friday with the country’s election crimes office concerning millions of voter records discovered on a U.S.-based Amazon cloud server. The theft of the records, which includes names, addresses, phone numbers, dates of birth, and voting credentials of Mexican citizens, constitutes a “national offense,” according to INE Director Lorenzo Cordova Vianello.

It remains unclear how the database, which is confidential under federal law, wound up on a server in the United States. 

The database’s existence was revealed on Friday by Chris Vickery, a white-hat security researcher employed by Austin-based antivirus software company MacKeeper. Vickery is responsible for identifying a misconfigured database in December that exposed the voting records and personal information of more than 191 million Americans.

The database containing Mexico’s voter records was shut down by Amazon early Friday morning after repeated complaints by Vickery, who had previously contacted the U.S. State Department, the U.S. Secret Service, and the U.S. Computer Emergency Readiness Team (US-CERT), a federal agency tasked with assessing cyberthreats against the nation, to no avail.

The identity of the culprit behind the leak remains a mystery, according to Dissent Doe, a pseudonymous blogger who routinely partners with Vickery on major cybersecurity scoops. In an interview on Doe’s website, DataBreaches.net, an INE spokesperson confirmed the veracity of the database.

“We started the investigation and legal actions, but we don’t have at the moment information to identify the persons involved,” the spokesperson said.

Vickery, who believes the records have been matched to a February 2015 electoral roll, said the Mexican government had access to the database for three days before Amazon shut it down. “I’m sure they downloaded a copy of it,” he said.

INE confirmed that the database originated with a person who had legal access to the records. The culprit is likely someone affiliated with one of the country’s nine political parties, they said. In fact, the agency may already be aware of which one.

According to Vickery, the voter lists distributed to the parties contain unique identifiers, such as bogus names hidden among the millions of authentic records. Without multiple copies of the database, identifying the false records would be like locating a needle in a haystack.

“Apparently, they’ve been able to identify which on the nine parties leaked it,” Vickery said. “They’re not saying who yet.”

Mexico has yet to receive Amazon’s cooperation, according to INE, who confirmed legal action had been taken “so that the corresponding authorities [can] help us to get more information.”

The spokesperson added that it was prepared to take steps to limit the personal information collected about voters, which had been a topic of discussion before the institute’s general council in past weeks. “There is a new agreement on the information related to personal data that is given in accordance [with] the law that will be discussed next week,” they said.

The Mexican government has invited Vickery to visit Mexico, the Daily Dot has learned, so that officials can explain to him how the security around its election system works. In an email to Vickery, a government official said it was “important to exchange points of view” and learn from his experience. Vickery said he was looking forward to visiting the country with his wife soon. 

Update 4:30pm CT, Apr. 23: This article has been updated to include an additional quote from an INE spokesperson.