The voter information of more than 14.3 million Chileans, which accounts to nearly 80% of the country's entire population, was left exposed and leaking on the internet inside an Elasticsearch database.
ZDNet learned of the leaky server from a member of the Wizcase research team, who passed the server's IP to this reporter last week, in order to identify the nature and source of the leak.
We found that the database contained names, home addresses, gender, age, and tax ID numbers (RUT, or Rol Único Tributario) for 14,308,151 individuals.
ZDNet has confirmed the validity and accuracy of this information with several of the individuals whose data was contained in the leaky database.
A spokesperson for Chile's Electoral Service -- Servicio Electoral de Chile (Servel) -- also confirmed the data's authenticity; however, they denied owning the leaky server.
Voter records are from 2017
Both our private sources and the Servel spokesperson indicated that the data stored on the Elasticsearch server, hosted on the network of a US hosting provider, is at least two years old.
"The mentioned information corresponds to the data of 2017," a Servel spokesperson told ZDNet.
Inquired if the agency had allowed third-parties access to its data to build election-related apps, Servel said that "access to critical service data is not given to external contractors."
The agency said it's tasked by Chile's laws to keep the data up to date and provide an interface through which voters can verify the validity or update their voter information. This can be done via mobile apps or Servel's official website.
Servel said it believes that there were people who scraped this information from its website and later assembled it in databases as the one ZDNet reported to the agency.
At the time of writing, the server is still online. The Wizcase team published their own report on the leaky server on their blog. WizCase researchers assessed that the server contained data "on nearly every Chilean adult," including high-profile politicians.
More data breach coverage:
- Robinhood admits to storing some passwords in cleartext
- Hackers breach FSB contractor, expose Tor deanonymization project and more
- Bulgaria's hacked database is now available on hacking forums
- Credentials stuffing attack prompts password resets for Sky customers
- Slack resets passwords for 1% of its users because of 2015 hack
- Thousands of Los Angeles police caught up in data breach
- A hacker assault left mobile carriers open to network shutdown CNET
- 90% of data breaches in US occur in New York and California TechRepublic