Instituto Nacional Electoral

The Instituto Nacional Electoral (INE) is Mexico's autonomous public institution responsible for organizing federal elections and maintaining the national voter registry. This registry encompasses the personal and electoral data of Mexican citizens eligible to vote, forming the foundation of the country's democratic processes. INE's mandate includes voter registration, electoral district demarcation, campaign regulation, and vote counting, positioning it as a cornerstone of Mexico's electoral system. The institute operates under Mexican law as the central authority for electoral administration, ensuring the integrity and transparency of national and state-level elections. Its functions directly support the constitutional right to vote and the peaceful transfer of power, making it a critical component of the nation's governance infrastructure. The sensitivity of the data it manages, particularly the voter registry, underscores its importance and the potential impact of any security compromise.

The scale of INE's operations is reflected in the vast size of its voter database, which has been the subject of multiple high-profile security incidents. Breaches and leaks have exposed records ranging from 87.8 million to 93.4 million individuals, including a 2021 incident where 91 million voter records were offered for sale on a forum. Previous exposures involved improper hosting on cloud platforms like Amazon AWS (93.4 million records, leading to fines for negligence) and Digital Ocean (over 2 million Sinaloa voter records), as well as an unsecured MongoDB instance on OVH SAS (87.8 million records). These incidents underscore the enormous volume of sensitive data under INE's purview and the recurring risks associated with third-party data management. The magnitude of these exposures represents a significant portion of Mexico's voting-age population, highlighting the systemic challenge of protecting such a large-scale registry.

A distinguishing characteristic of INE's security posture is the pattern of data exposures stemming from mishandling by external vendors or partners, rather than direct system compromises by the institute itself. Regulatory fines have been imposed for negligence in safeguarding this data, such as the penalties following the AWS and Digital Ocean incidents. Furthermore, INE has been explicitly targeted in sophisticated cyber campaigns, including a December 2025 attack where a hacker used AI chatbots to generate exploits aimed at Mexican government agencies. Although INE claimed no unauthorized access resulted from that specific incident, the attempt highlights its vulnerability to emerging threats that lower the barrier for cyberattacks. The repeated exposures—some progressing from leaks to active breaches when data was distributed or sold—illustrate persistent challenges in protecting the national voter registry despite its critical role in Mexico's democracy. The institute's reliance on third parties for data storage and processing has repeatedly created vulnerabilities, leading to substantial data loss and regulatory repercussions.