A copy of the Mexican National Electoral Institute voter database containing 93 million records was exposed from a MongoDB deployment on Amazon EC2 after being left reachable from the internet with no authentication and no encryption.
Chris Vickery located the database via Shodan using MongoDB’s default port 27017 and accessed voter records without credentials, confirming the data belonged to Mexican citizens. Amazon Web Services notified the system owner after disclosure and the database was removed soon after. The source does not confirm data theft, but it also does not provide evidence of access logging, audit controls or any mechanism to prove whether others accessed or copied the data. The incident shows a complete breakdown in cloud security ownership: internet exposure of a sensitive datastore, no authorization boundaries, no encryption and weak governance over distributed copies of regulated data. The key lesson is clear: cloud infrastructure may be operated by a provider, but customers remain responsible for securing workloads, restricting network paths and maintaining monitoring strong enough to detect unauthorised access to high-impact data.
| What’s happening | Cause | Action |
|---|---|---|
| Sensitive voter data was exposed through a publicly reachable MongoDB service | The database was hosted on Amazon EC2 and accessible over the internet on MongoDB’s default port 27017, discoverable through Shodan | Validate that databases are not directly internet accessible unless explicitly required. SkySiege would assess EC2 security groups, public IP exposure, internet-routable paths and database-related ports exposed to 0.0.0.0/0 or equivalent broad sources. |
| Anyone with the IP and a MongoDB client could access records without challenge | No authentication procedures had been placed on the database and the source provides no evidence of authorization controls | Validate that all data services enforce authentication and role-based authorization. SkySiege would assess whether workloads expose data services without identity controls and whether access is restricted to approved principals, subnets or application tiers. |
| High-value personal data was readable in clear form | The data was not encrypted, so exposed access would reveal usable personal information immediately | Validate encryption at rest and any application-level protection for highly sensitive data. SkySiege would assess storage encryption settings where visible in cloud configuration and identify architectures that rely solely on network placement instead of layered data protection. |
| Network-layer protection was effectively absent | The source shows internet reachability and no evidence of firewalling or segmentation to limit inbound requests | Validate that security groups, NACLs, host firewalls and private network placement restrict inbound database traffic to known internal consumers only. SkySiege would assess whether workloads that should be private are placed in publicly reachable architectures without compensating controls. |
| Governance over shared copies of regulated data was weak | INE stated that copies of the dataset were issued and watermarked, but ownership of the exposed copy was unclear | Validate where regulated or sensitive datasets are copied, who owns them and whether each copy is governed by inventory, data handling policy and technical guardrails. SkySiege would assess cloud asset ownership gaps, unmanaged data stores and architectures suggesting uncontrolled replication of sensitive datasets across accounts or environments. |
| The organisation may be unable to prove whether the data was further accessed or copied | The source states there is no direct evidence of theft, but it also provides no evidence of logging, audit trails or access monitoring | Validate that high-risk databases generate and retain access logs, admin activity trails and alerting for anomalous connections. SkySiege would assess available cloud-native logging posture, monitoring coverage and whether exposed assets have supporting telemetry sufficient for incident reconstruction. |
| The security model depended on cloud hosting without enforcing customer-side controls | AWS reiterated the shared responsibility model: AWS secures the cloud infrastructure, while customers must secure the applications they run | Validate responsibility boundaries for IaaS workloads, especially self-managed databases on EC2. SkySiege would assess whether enterprise teams are running internet-exposed services without baseline hardening, ownership or detective controls. |
This incident is a critical example of cloud misuse turning into a national-scale data exposure. The failure was not an advanced intrusion; it was a complete absence of basic security controls around a high-sensitivity dataset. A publicly reachable database with no authentication, no encryption and no clear evidence of monitoring creates immediate enterprise risk because discovery requires little effort and exploitation leaves minimal friction for an attacker.
The detection gap is as important as the exposure itself. While the source does not confirm theft, it also does not show that the owner had the telemetry needed to determine whether third parties accessed or copied the data. That creates a major visibility problem: if logging, audit trails and administrative activity monitoring are weak or absent, the organisation cannot support incident response, legal review or regulator inquiries with confidence.
The governance weakness is equally severe. INE indicated that copies of the voter dataset were issued and watermarked, but the owner of this exposed copy was not identified in the reporting. That points to poor control over downstream data distribution, unclear accountability and inadequate restrictions around who can host shared regulated data in cloud environments. For an enterprise, this is a classic sign of data sprawl without enforceable access boundaries.
Business impact extends beyond technical remediation. Exposure of identity-linked voter records can trigger legal scrutiny, regulatory consequences, public trust erosion and long-tail costs for investigation, containment and control redesign. As the commentary highlights, if this were not a government context, the likely outcome would include significant regulatory and contractual consequences. For buyers, investors and assessors, this kind of incident signals weak cloud governance maturity, poor privileged design and insufficient preventive and detective controls around mission-critical data.
