The Personal Data of the Entire Ecuadorian Population Could Have Been Leaked

Some data leaks are bigger and more impactful than others. But how do we classify them exactly? When can a data security incident be considered a massive problem and when is it not that big of a deal? The sense of scale has been somewhat blurred.

If 50 thousand people lose their data, for example, you might think that this is a significant breach. When you realize that billions of users interact with hundreds of thousands of online and offline services every day, however, you start to see that it's just a drop in the ocean. When the population of an entire country is affected, however, the breach can never be considered small.

An unsecured Elasticsearch server exposes the personal data of millions of Ecuadorians

Once again, the leaked information was found by vpnMentor's team of researchers led by Noam Rotem and Ran Locar. Over the past few months, they have been engaged in a web mapping project which has resulted in the discovery of dozens of poorly protected databases that have been leaking sensitive information for years. A couple of weeks ago, they found the next in a very long line of Elasticsearch databases that was facing the internet without any form of protection, but they quickly realized that this isn't going to be an ordinary data leak.

A quick analysis of the data revealed that all individuals affected citizens of Ecuador. Surprisingly, however, the Elasticsearch server held 20.8 million records – 4.2 million more than the South American country's current population. The researchers realized that every single Ecuadorian, as well as quite a few deceased individuals, could be in there. To get a better understanding of the scale of the incident, Rotem and Locar got in touch with ZDNet's Catalin Cimpanu who helped them run through the database and find out what's going on.

Confirming the legitimacy of the data was not that hard. ZDNet's reporter had absolutely no issues finding records of Lenín Moreno, Ecuador's President, and he also located the personal data of Julian Assange, who, as you probably know, was given asylum by the South American country's UK embassy. The ease with which the information was accessible was scary enough, but when they saw just how much data was in the Elasticsearch server, Rotem, Locar, and Cimpanu were properly terrified.

The leaky server exposed tons of sensitive data

Cimpanu divided the leaked data into two separate groups – information collected by Ecuador's civil registry and information collected by private businesses. It probably shouldn't be too surprising that the civil registry has quite a lot of information on Ecuadorian citizens. This includes full names, dates of birth, places of birth, phone numbers, addresses, and information on people's marital status, workplace, and education. In addition to all this, the database included what Ecuadorians call cedulas. A cedula is a national ID number, and it's basically the equivalent of US' Social Security Number.

If you're an identity thief, this sort of data would be the stuff of dreams. The leaky server held a lot more than that, though. There was enough information on people's family members to reconstruct basically every single family tree in the country, including the personal details of close to 7 million children. Once again, we're talking about names, home addresses, places of birth, and cedulas.

The leak was already shaping up to be pretty horrible, and Cimpanu, Locar, and Rotem hadn't even gone through the data collected by private organizations.

The names of multiple privately-owned enterprises were present inside the database, but the ones that stood out from the crowd were Banco del Instituto Ecuatoriano de Seguridad Social or BIESS, a public bank, and Asociación de Empresas Automotrices del Ecuador or AEADE, an association of companies working in the automotive industry.

There were around 7 million BIESS records containing data on people's financial wellbeing, including bank account status, bank account balance, credit type, and job details. AEADE's records exposed the information of about 2.5 million car owners. This includes the car's make and model, its license plates, the date of registration, etc. Couple these details with the rest of the leaked information, and you'll see that the security of both the car and its owner could be put under serious risk.

Who is responsible for the leak?

Although it held information on people who are no longer among us, this wasn't a forgotten old database that had been compiled years ago. Some of the information in it was actually quite recent, which meant that taking it down as quickly as possible was even more important.

After some digging around, Rotem, Locar, and Cimpanu found out that the misconfigured Elasticsearch server belonged to an analytics company called Novaestrat. What they didn't manage to learn was how Novaestrat got its hands on the data and whether or not it was authorized to do so because the multiple attempts they made to contact the business were unsuccessful. Thankfully, Ecuador's Computer Emergency Response Team (CERT) was much more helpful, and after it got involved, the database was taken offline.

At this point, it's impossible to say whether or not the leaked data has been accessed by someone other than vpnMentor's researchers and ZDNet's reporter. Ecuadorian citizens can only hope that the cybercriminals were too late to the party. Considering the level of details that got exposed, however, their number one priority should be to keep their eyes peeled for signs of misuse of their information.