A database containing the personal details of over 90 million Mexican voters has been found online without any password protection.
MacKeeper security researcher Chris Vickery explained in a blog post on Friday that he discovered the publicly accessible database of 93.4 million people on an Amazon cloud server based in the US a week previously.
“After reporting the situation to the US State Department, DHS, the Mexican Embassy in Washington, the Mexican Instituto Nacional Electoral (INE), and Amazon, the database was finally taken offline April 22nd, 2016,” he added.
“Under Mexican law, these files are ‘strictly confidential,’ carrying a penalty of up to 12 years in prison for anyone extracting this data from the government for personal gain. We’re talking about names, home addresses, birth dates, a couple of national identification numbers, and a few other bits of info.”
Vickery claimed that the accuracy of at least one record has been confirmed.
It’s not known if any malicious third parties have been able to access the information in the database, or how long the data was exposed to the public.
However, it could have far more serious implications than most data breaches. As well as exposing Mexican voters to possible follow-up phishing attacks and online scams, it may put some in physical danger.
“Kidnapping is a considerable problem in Mexico, and allowing cartels to download copies of this database could prove disastrous,” Vickery warned.
Proofpoint SVP of cybersecurity strategy, Ryan Kalember, argued that the case highlights the complexity of securing sensitive data.
“Stopping data loss requires a combination of effective technology and user education. Security teams must look beyond traditional places, like file shares and on-premise databases, when locating sensitive information and ultimately stopping loss. It’s time to extend the search for confidential information into cloud storage, social media, and even the dark web,” he added.
“Organizations also need to take the human factor into account and educate employees about the value of the information they process. Security education can drastically reduce data breaches that result from misuse. It’s important that employees think twice before posting on a public file sharing network, or mailing documents to their home email address.”