Mexican voter database exposure (Mexico, 2016)
A misconfigured MongoDB database left the full Mexican national voter roll — 93.4 million records including names, addresses, birthdates and national ID numbers — publicly accessible on Amazon's cloud with no password, for months.
- Victim
- Instituto Nacional Electoral (INE) — Mexican voter registry
- records
- 93.4M
- users
- 93.4M
In April 2016, security researcher Chris Vickery discovered that the entire Mexican national voter registry — 93.4 million records — had been sitting on a publicly accessible, password-free MongoDB database hosted on Amazon AWS for months. It was, at the time, one of the largest exposures of government-held citizen data anywhere in the world.
What happened
The 132 GB database was configured for public access with no authentication of any kind — anyone who knew the IP address could connect and read the full contents. Vickery located it using the Shodan search engine, which indexes internet-connected systems, by scanning for MongoDB's default port 27017. Records had reportedly been exposed since September 2015.
Each record corresponded to a registered Mexican voter and included the full name, home address, date of birth, and national identification (credencial / CURP-linked) numbers — precisely the data used for in-person voter identification. Mexico's electoral authority, the Instituto Nacional Electoral (INE), later confirmed the records were authentic.
Impact
- 93.4 million voter records — effectively the entire adult electorate — were exposed.
- The data included home addresses, a particularly sensitive detail in a country with serious concerns about kidnapping, extortion and cartel violence.
- Under Mexican law, voter-roll data is strictly confidential, and its unauthorised extraction can carry penalties of up to 12 years in prison, making the exposure a potential criminal matter, not merely a privacy lapse.
Why it matters
The case is a defining example of cloud-misconfiguration risk applied to a national-scale government dataset. No firewall was breached and no malware was used — the entire electorate's personal data was exposed by a single insecure default. It intensified scrutiny of how third parties and political actors obtain copies of the voter roll, of weak controls on government data shared with vendors, and of the broader wave of open-MongoDB exposures that defined the mid-2010s, prompting database vendors to ship secure-by-default configurations.
Timeline
The MongoDB instance hosting the Mexican voter roll is configured for public access on Amazon AWS, with no authentication required.
Researcher Chris Vickery discovers the 132 GB database open on the internet via Shodan and the default MongoDB port 27017.
Vickery reports the exposure to U.S. authorities, the Mexican Embassy, the INE and Amazon, but the database initially stays online.
After escalation, the database is taken offline; Mexico's INE confirms the records are authentic and opens an investigation.
The INE pursues legal action over the unauthorised extraction of voter data, which is classified as strictly confidential under Mexican law.
Sources
- helpnetsecurity.comhttps://www.helpnetsecurity.com/2016/04/25/info-93-million-mexican-voters-leaked/
- databreaches.nethttps://databreaches.net/2016/04/22/personal-info-of-93-4-million-mexicans-exposed-on-amazon/
- securityaffairs.comhttps://securityaffairs.com/46588/breaking-news/mexican-voter-records.html
- theregister.comhttps://www.theregister.com/2016/04/25/mexico_voter_data_breach/
- informationweek.comhttps://www.informationweek.com/cloud/infrastructure-as-a-service/93-million-mexican-voter-database-exposed-on-amazon-cloud/d/d-id/1325259