87 Million Mexican Voter Records Discovered in Unprotected Online Database

A voter casting her ballot during Mexico’s presidential elections on July 1, 2012.

Photo by John Moore/Getty Images

Hacks and data breaches are a ubiquitous threat these days, but malicious actors don’t always need to put in a lot of work to mine valuable personal data. Sometimes they can go right in the front door of an unprotected database. The latest example is a trove of Mexican voter registrations discovered by a security researcher a few weeks ago. And it wasn’t a minor list. The database had personal information for 87 million Mexicans—out of a population of more than 120 million.

Security researcher Chris Vickery, of the software company MacKeeper, discovered the database on April 14. Vickery is the researcher who discovered the Hello Kitty Sanrio database leak in December. He followed that up about 10 days later with the discovery of an unprotected database that contained records for 191 million U.S. voters.

As with the latest Mexican leak, voter data generally doesn’t contain citizen IDs (like social security numbers) or credit card numbers, but it does often have addresses, birthdays, voter ID numbers, and other personal information that could help bad actors construct phishing schemes or do other social hacking.

The Mexican database was taken down over the weekend, but Vickery had to work for a few days to notify the correct Mexican authorities. The Mexican National Electoral Institute released a statement on Friday noting that it has launched an internal investigation and notified the prosecutor for electoral crimes. Amazon Web Services, which was hosting the database, told BBC News that “As of 1:00 am on April 22, this database was no longer publicly accessible.”

Vickery told Ars Technica U.K., “The Mexican government says that when they give out these data sets, each set is ‘watermarked.’ … That makes it possible to determine who was responsible for the set that got leaked. So, soon enough we’ll at least know which non-governmental authority was responsible for the particular data that was leaked,” he said.

Deploying intense cybersecurity measures is clearly necessary for sensitive personal data as hacks and breaches ramp up. These unprotected databases don’t even put a password between valuable data and potential bad actors, though. As awareness about data security grows, even small protective steps are important.