back to article 'No password' database error exposes info on 93 million Mexican voters

Information on 93 million Mexican voters has been leaked online. Voter records were exposed as the result of a config error in a MongoDB database that meant that the information was left accessible by anyone who knew where to look. The database – hosted on Amazon AWS – included voters' names, addresses, voter ID numbers, dates …

  1. Anonymous Coward
    Anonymous Coward

    no government will do it, but....

    There does need to be some basic assumption or legal right that your data belongs to you and anyone using it or sharing it has some duty or liability to you personally when they f**k it up.

    1. sysconfig

      Re: no government will do it, but....

      Unfortunately that's never going to happen, because many (all?) governments are guilty of slurping up data and using it in ways that citizens never agreed to or even know of.

    2. allthecoolshortnamesweretaken Silver badge

      Re: no government will do it, but....

      "If you won't treat my data properly, you shan't have it!"

      (Hey, I can dream, can't I?)

      1. Saigua

        Re: no government will do it, but....

        It's a miracle the mail ever gets to you if your address isn't zero padded and fuzzed. VAirBnB&D is the best place to stay. My employer, [[10 digit primes]+2] never fails to make proper local deductions. I am a veteran hospitaler of 11 indigenous democratic authorities...

  2. Bloakey1

    Well who would have thought it?

    "Mongo only pawn in game of life!"

  3. Sykobee

    MongoDB really needs to stop their "install with no authentication enabled" mechanism.

    Security seems to be way down their list of priorities. For a database that is often hosted in the cloud, that is an abysmal behaviour. Clearly they want to remove barriers to entry.

    OTOH they provide free courses online that includes how to administer a cluster, so it really is the devs using it that are ultimately to blame.

    1. Anonymous Coward
      Anonymous Coward

      Hush or all these 1337 millennial web "developers" might not get their unicorn web chaff off the ground.

  4. Destroy All Monsters Silver badge
    Big Brother

    "leaves people exposed to phishing and identity theft"

    In Mexico, it also leaves people exposed to a lot more...

    You could argue that the separation between the Bad Guys and State is Work in Progress, so if they want to get you, they have the data anyway, but still...

  5. adam payne Silver badge

    No password on a database of 93 million voters now that is special. Hope they changed their installation procedures.

  6. Pascal

    Voters database *in the cloud*?

    Shame on the whoever is responsible for this incorrect config cock-up.

    How can the setup / configuration of a database of all citizens be left to a single guy (or have no review / audit policy of any sort in place, given that even the simplest "IT security for Dummies" check would have caught that)?

    And then, how is it even acceptable that such an official database be hosted in the cloud, by Amazon, in the first place? I'm pretty sure item #1 on most governmental data security policies is "don't upload private citizen data on Amazon or Google"...

    1. Sureo

      Re: Voters database *in the cloud*?

      "simplest "IT security for Dummies" check would have caught that)?"

      "Network Security For Dummies" has 408 pages*, absorbing it is hardly a simple matter.

      *http://www.amazon.com/Network-Security-Dummies-Chey-Cobb/dp/0764516795

    2. Daniel B.

      Re: Voters database *in the cloud*?

      Not official. I'm pretty sure that this database was highly illegal under Mexican federal law. The IFE database must not leave the country, ever.

      1. anonymous boring coward Silver badge

        Re: Voters database *in the cloud*?

        "Not official. I'm pretty sure that this database was highly illegal under Mexican federal law. The IFE database must not leave the country, ever."

        What?

        Isn't a cloud supposed to be right above our heads?

  7. chivo243 Silver badge
    Coat

    has to be said

    ¿no habla ingles? Manual not in Spanish?

    1. theblackhand

      Re: has to be said

      "He's from Barcelona^H^H^HTijuana..."

  8. LDS Silver badge

    Meanwhile, in Italy...

    ... crooks are sending fake speed tickets impersonating the Swiss police. The letters (they are plain mail letters, to be more effective), are sent to people living nearby the border and contains details like correct names and addresses, 'fiscal code' (a sort of ssn, it can be computed, but it requires the date and place of birth also), plate numbers, and so on.

    It looks to me some database has been compromised, and given the target, my guess is it could be one of those run by Regione Lombardia IT branch, but till now, despite the warning about the fake letters, no news about a data leak has been given..

    It could also some insurance company database as well, what worries me is till now nobody cared about where those data came from...

    1. TechnicalBen Silver badge

      Re: Meanwhile, in Italy...

      I would assume insurance database. Here in the UK lots of "insurance claims" calls are made just after a legit claim is made/processed.

      So someone somewhere is leaking and/or getting the data legally. The "insurance claims" calls are skirting the law by only charging ludicrous fees on possible personal court claims. So their just ambulance chasing, which is unwanted but not illegal.

      Getting the data via the wrong means is though, and as these companies are not using the central database for an actual claim, but to sell you legal advice/services, then they really should get a big slap on the wrists.

      1. Adam 52 Silver badge

        Re: Meanwhile, in Italy...

        In the UK it is the insurance companies that sell details on -http://www.telegraph.co.uk/finance/personalfinance/insurance/motorinsurance/8615501/Dirty-secret-of-car-insurers-selling-accident-victims-details-to-no-win-no-fee-lawyers.html

  9. moiety

    Dammit! That's the UK out of the running for "biggest IT fuckup"....we've only got 60 million to expose in the first place. Maybe our government could go for the double, and expose everybody twice; but that's technically demanding and tricky to pull off...

    1. TechnicalBen Silver badge
      Coffee/keyboard

      Oh I'm sure...

      we could help a load of other nations spill their data at the same time?

    2. Marketing Hack Silver badge
      Go

      @moiety

      Maybe Britain can catch up if British couples need to hop to it in the breeding department!

      "But sweetie! We've got to do it if Britain is ever going to catch up to Mexico!"

      (What was it Queen Victoria said to one of her sexually restrained daughters that she married off? Something about "Lie back and think of England?" I guess Vicky was one smart lady!!)

  10. Shaha Alam

    all of my personal information should inaccessible unless approved by me or someone acting in my agency.

    this (or similar) should be enshrined as a human right.

    it wont be till law makers are relieved of the contents of their off shore bank accounts by fraudsters using their id.

    1. Anonymous Coward
      Anonymous Coward

      (In)accessible

      I don't necessarily disagree with you, but just for the heck of it lets follow a line of thinking....

      - My personal details belong to me

      - My personal details are not accessible to anyone else

      - My personal details include my financial details

      - My financial details include my mahoosive, publicly-funded salary*

      - My mahoosive, publicly-funded salary passes through an off-shore account and various tax avoidance mechanisms in order to make me even wealthier

      ...but all of that information belongs to me and nobody can see it, so nobody would ever find out about my fiscal shennanigans.

      So how do we good guys get "the right" to know about the shady peoples' shady financial dealings.

      * for the avoidance of doubt, this is purely for the sake of argument. In reality I'm a mid-level, tax-paying wage slave just like all the other good guys

  11. Bumble Bee

    But is it Web Scale?

    what i just said...

  12. Mark 85 Silver badge

    Makes me wonder if the same batch that set up that Bangladesh bank system without installing a firewall also set up the Mexican database.

  13. J J Carter Silver badge
    Facepalm

    As Hamster would say...

    I understand the Mexican National Security Accreditor left strict instructions not to be woken from his siesta

  14. J J Carter Silver badge
    Boffin

    Also...

    Running MongoDB on AWS, this is surely the more performant, compromised electoral register in the world! Or is it?

    1. energystar
      Unhappy

      On being a little propositive among all these ruins...

      There is no 'Cultural Continuity' on IT in Mexico. Young 'scripting professionals' are giving authority [and bigger checks] over Seniority. That should be SERIOUSLY worked.

      Very sad, also knowing This is not a first.

  15. grumpyoldeyore
    Joke

    I Wonder if...

    ... they'll now receive "Vote Trump" mailshots ....

  16. JWLong

    Well . . . . !

    It's not like Mexican voters have anything to steal in the first place........

    So, why worry about security?

  17. Anonymous Coward
    Anonymous Coward

    I wonder when the first couple will call their child Data-Breach?

  18. Anonymous Coward
    Anonymous Coward

    Q: What do they call a data-breach in Mexico?

    A: A hitlist.

  19. Glenn 6

    "Security Researcher" eh?

    One day, I woke up and the term "Ethical Hacker" because "Security Researcher".

    Basically anyone who attempts to connect into someone else's systems without their authorization is a hacker. Nothing against ethical hackers of course, someone needs to keep people on their toes. Just pointing out the fancy, not-as-offensive name they're since given themselves. :)

    1. energystar
      IT Angle

      At this specific incident.

      "Basically anyone who attempts to connect into someone else's systems without their authorization is a hacker."

      If the note true to the words, everyone was Indeed 'authorized'...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019