Cyber Incident Victim: Instituto Nacional Electoral
Date:
Jul 2021
Location:
Mexico
Summary
The Instituto Nacional Electoral experienced multiple security incidents involving Mexico's voter database, with unauthorized exposures and breaches occurring over several years. A recent incident involved a forum listing offering 91 million voter records, following previous leaks including one by Movimiento Ciudadano that exposed 93.4 million records hosted improperly on Amazon AWS, resulting in substantial fines for negligence, and another by PRI affecting over 2 million Sinaloa voters hosted unlawfully on Digital Ocean. An additional exposure of 87.8 million records occurred via an unsecured MongoDB instance on OVH SAS, while the latest incident's origin remains unclear. These repeated exposures stemmed from third-party mishandling of sensitive voter data, with some instances progressing from leaks to breaches when data was distributed or sold.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The Instituto Nacional Electoral (INE) voter database experienced multiple security incidents between 2016 and 2021 involving unauthorized exposures and potential breaches. In 2016, cybersecurity researcher Chris Vickery identified two separate leaks of INE data. The first involved 93.4 million voter records belonging to political party Movimiento Ciudadano, which were exposed through an unsecured Amazon AWS storage instance. The dataset contained comprehensive personal information including names, addresses, birthdates, gender, and voter identification numbers. Movimiento Ciudadano initially attempted to falsely accuse Vickery of hacking their systems, but both Amazon and Vickery refuted these claims. The National Electoral Institute's complaint commission later fined Movimiento Ciudadano 34.1 million pesos (approximately $1.8 million USD) for negligence in securing the data.
A second 2016 leak exposed records of over 2 million voters from Sinaloa, traced to the Institutional Revolutionary Party (PRI). This dataset was similarly hosted insecurely on Digital Ocean infrastructure, violating Mexican data localization laws. In 2020, an unidentified whitehat researcher discovered another exposed MongoDB instance containing 87.8 million voter records hosted by OVH SAS. OVH notified their customer and secured the database, though the responsible party remained unknown. Around the same period, researchers observed attempted sales of Mexican voter data matching this exposure. The most recent documented incident occurred in July 2021 when a forum listing advertised the "entire" 2021 Mexican voter database containing 91 million records with 21 data fields per entry, including CURP national IDs, addresses, and voting precinct details. This prompted cybersecurity analysts to note it represented at least the fourth major exposure of INE data since 2016. The cumulative impact involved repeated exposures of sensitive voter information through third-party mishandling, with confirmed cases of data being offered for sale despite legal prohibitions on foreign hosting. INE received direct notification about the 2020 incident in 2021 but no organizational response or attribution details were publicly confirmed regarding the latest exposure.