Data leaks have become commonplace. Every week we hear of at least one data breach that has existed maybe over months or years without the users knowing their data is compromised. Yesterday, a team of researchers from vpnMentor reported a massive data breach that may impact millions of Ecuadorians. The research team led by Noam Rotem and Ran Locar discovered a leaky Elasticsearch database that included 18GB of personal data affecting over 20 million individuals, outnumbering the total number of citizens (16.6 million) in the small South American country. The vpnMentor research team discovered the Ecuador breach as part of our large-scale web mapping project.
The team further discovered the data breach on an unsecured server located in Miami, Florida. This server appears to be owned by Ecuadorian company, Novaestrat, a consulting company providing services in data analytics, strategic marketing, and software development. The major information leaked during this breach includes personal information of individuals and their family members, employment details, financial information, automotive records, and much more.
The researchers said the breach was closed on September 11, 2019, and are still unaware of the exact details of the breach. However, they said that the information exposed appears to contain information provided by third-party sources.“These sources may include Ecuadorian government registries, an automotive association called Aeade, and Biess, an Ecuadorian national bank,” the researchers wrote in their official document.
Details of the data exposed during the Ecuador breach
The researchers said that in the database, the citizens were identified using by a ten-digit ID code. In some places in the database, that same ten-digit code is referred to as “cedula” and “cedula_ruc”. “In Ecuador, the term “cédula” or “cédula de identidad” refers to a person’s ten-digit national identification number, similar to a social security number in the US. The term “RUC” refers to Ecuador’s unique taxpayer registry. The value here may refer to a person’s taxpayer identification number,” the researchers mention. On running a search with a random ID number to check the validity of the database, the researchers were able to find a variety of sensitive personal information.
Personal information such as an individuals name, gender, dates of birth, place of birth, addresses, email addresses, phone numbers, marital status, date of marriage if married, date of death if deceased, and educational details.
Financial information related to accounts held with the Ecuadorian national bank, Biess. Details such as account status, the current balance in the account, amount financed, credit type, location and contact information for the person’s local Biess branch.
Automotive records including car’s license plate number, make, model, date of purchase, most recent date of registration, and other technical details about the model.
Employment information including employer name, employer location, employer tax identification number, job title, salary information, job start date, and end date was also exposed.
ZDNet said it “verified the authenticity of this data by contacting some users listed in the database. The database was up to date, containing information as recent as 2019.”
“We were able to find records for the country’s president, and even Julian Assange, who once received political asylum from the small South American country, and was issued a national ID number (cedula),” ZDNet further reports.
6.77m children’s data under the age of 18 were exposed
Under a database index named “familia” (means family in Spanish), “information about every citizen’s family members, such as children and parents, allowing anyone to reconstruct family trees for the entire country’s population,” ZDNet reports.
This index included details of children, some of whom were born as recent as this spring. They found 6.77 million entries for children under the age of 18. These entries contained names, cedulas, places of birth, home addresses, and gender.
The information leaked may pose a huge risk to individuals as using their email ids and phone numbers, attackers may send them phishing emails to target individuals with scams and spam
Hackers and other malicious parties could use the leaked email addresses and phone numbers to target individuals with scams and spam. Researchers said that these phishing attacks could be tailored to the individuals using exposed details to increase the chances that people will click on the links.
The Ecuador breach was closed on September 11, 2019, and the database was eventually secured only after vpnMentor reached out to the Ecuador CERT (Computer Emergency Response Team) team, which served as an intermediary.
A user on Hacker News writes, “There needs to be fines for when stuff like this happens. The bottom line is all that matters to bosses, so unless engineers can credibly point to the economic impact of poor security decisions, these things will keep happening.”
The data was lost by a local company in Ecuador, Novaestrat. I’m curious how they got it. Sub-contractors were also responsible for some prominent data losses in America (Snowden aside, the OPM data breach was huge: https://t.co/scCj0qln24)
— Elissa Shevinsky (@ElissaBeth) September 16, 2019
To know more about the Ecuador breach in detail, read vpnMentor’s official report.