Mexican newspaper Reforma reported [es] that the website buscardatos.com apparently has been harvesting information from the database of the Mexican Federal Electoral Institute (IFE) [es], the body responsible for organizing elections. This has left ample private citizen data accessible on the Internet.
On the webpage, users could access a citizen's voter password, an 18-digit code found in the voting credentials, as well as home addresses simply by searching a voter's last name. Citizen data could also be obtained through other identification records like the Unique Population Registry Code (CURP) or the Federal Taxpayers Registry (RFC), as seen in the screenshot below.
The answer from Mexican authorities
Following Reforma's November 6 article, the Institute for Access to Information, a body of the Mexican Federal Public Administration responsible for guaranteeing the right to accessing public government information and the protection of personal data, condemned the potentially unlawful treatment in a statement [es]. The body also indicated that it would open an investigation and agreed to file a complaint with the Attorney General's office against those responsible. The IFE filed a complaint as well.
Hosting for Buscardatos.com
We consulted the City Network hosting service, where buscardatos.com is hosted, and asked those responsible for its administration why the website remained online and the nature of their relationship with the site.
He also noted that in order for City Network to act on a violation of this sort, the company would have to receive a judicial order from local Mexican authorities.
The website buscardatos.com partially stopped working on the morning of November 8. The search functions have been disabled, since according to a message from its administrators, they are experiencing server problems and the searches will not be available until further notice.
Protection of personal data in Mexico
In Mexico there are mechanisms like those offered by the Federal Law of Transparency and Access to Public Government Information [es], which establishes a guarantee for the protection of personal data in the hands of the government. Additionally, the Federal Law on the Protection of Personal Data Held by Individuals [es] mandates that anyone handling personal data is obligated to safeguard the privacy of that data, in order to ensure that the owners of that data can access and delete the information at any time or legally contest the way their personal data is handled by third parties.
One case among many?
Statements from the IFAI and IFE followed Reforma's article and referred exclusively to the case discussed in the paper; yet this is not the only visible case online. There is also a site [es] that reports the sale of the Federal Electoral Institute database, which had been updated until 2012, an incident that authorities have not yet addressed.