Millions of Mexican records accessible online
Steve Howe warns of the safety of the cloud and keeping public data safe in almost ‘prophetic’ talk to Cyber Security Professionals
The discovery of an unsecured database listing the personal details of 87 million Mexicans online has uncovered a huge security breach, raising concerns over what the data could be used for.
The millions of names, addresses, dates of birth and voter ID numbers were recently discovered by US security researcher Chris Vickery, who had been browsing unsecured databases, with a security tool called Shodan.
He quickly realised that it was a Mexican voter database and after initial problems trying to contact an official, informed the Mexican National Electoral Institute, which organises federal elections in the country.
The voter information, which has now been taken offline, was discovered on a database on a cloud server provided by Amazon Web Services.
During his talk, Identity and Privacy in a Hyper Connected World, Amethyst’s M.D Steve Howe raised many of the issues surrounding such a breach, such as the safety of ‘the cloud.’
Speaking at the Cyber Security Professionals exhibition in York last week, Steve said:
“When we decide to store all this browsing information, or anything else for that matter, in the cloud we believe nobody will be threatened.
“Does anyone ask where this cloud is? Is this ‘cloud’ computer in the UK, China, Syria? Who else is sharing that cloud?
“It’s confusing. A cloud looks so fluffy, nice and safe – but it isn’t. It’s someone else’s computer.”
During the talk, Steve discussed his belief that cyber professionals should help industry to secure communication and data, thus helping government by keeping all of the public’s communication SECRET.
“I mean SECRET, not OFFICIAL or OFFICIAL SENSITIVE but SECRET. Something is SECRET if its disclosure could result in a loss of life and what could lead to a loss of life is probably quite a long list whose content isn’t obvious.”
“The information the cloud holds on the public is only OFFICIAL . Who really cares if that hits the public domain? Well the public might be a little irked if it is lost. Storing information that wasn’t properly secured didn’t work so well for the customers of Talk Talk or the users of Ashley Madison, the dating site for those who wanted an affair. Some users of that site killed themselves on the release of the user data.”
“If you have information on people, you have a responsibility to protect it and the cyber security measures for OFFICIAL or OFFICIAL sensitive may well not cut it. Some of the measures normally used for protecting SECRET data may be more appropriate.”
When personal details are made public, people are vulnerable to security scams. In Mexico, where up to 100,000 people are kidnapped every year, this date breach, which has released data on people's home addresses, could be considered particularly dangerous. Unfortunately, this is not the first time that such a breach has occurred. Recently, the details of 70 million voters in the Philippines were reported to have leaked online, while in December last year, Mr Vickery found a cache of data on 191 million US voters after a database was made accessible via the web.
To read more about the Mexican voters’ unsecured data, visit http://www.bbc.co.uk/news/technology-36128745