Entire Ecuador population's personal data exposed online

News by Rene Millman

Database exposes data on almost all citizens of Ecuador, including 6.7 million children

Security researchers have discovered a massive data breach that could impact the entire population of Ecuador. 

According to researchers at vpnMentor, the database of about 18GB of data holding 20.8 million records was exposed on an unsecured Elasticsearch server located in Miami, Florida, which appears to be owned by an Ecuadorian company. The population of Ecuador is 16.6 million.

The researchers said the majority of the affected individuals seem to be located in Ecuador.

"Although the exact details remain unclear, the leaked database appears to contain information obtained from outside sources. These sources may include Ecuadorian government registries, an automotive association called Aeade, and Biess, an Ecuadorian national bank," said the report.

The information leaked included detailed personal information including full name, gender, age and residence, official and personal and mobile phone numbers, family details and levels of education.

"For each entry, we were able to view the full name of their mother, father, and spouse. We were also able to view each family member’s ‘cedula’ value, which may be a national identification number," the researchers said.

The database even included an entry on WikiLeaks founder Julian Assange, who resided in the Ecuadorian embassy in London up until April of 2019.

Even though the breach has now been closed, the leaked data could create long-lasting privacy issues for affected individuals, warned researchers.

"This information leaves individuals at risk of email and phone scams. Hackers and other malicious parties could use the leaked email addresses and phone numbers to target individuals with scams and spam," researchers said.

This is another in a very long list of cloud-based databases leaking information to anyone with an internet connection, said Javvad Malik, security awareness advocate at KnowBe4.

"This is particularly significant due to the number of records and the sensitivity of the data. Most troubling perhaps being the data of children being stolen, which can be used by criminals to set up fake identities, or take out loans against which the victims won't realise until further in life when they realise their credit is ruined," he told SC Media UK.

Hugo van den Toorn, manager of Offensive Security at Outpost24, called this a typical example of a misconfigured system. It should have never been possible for anyone on the Internet, especially without authentication, to access the data stored in the database, he told SC Media UK.  

"Even Elastic themselves quote on one of their recent blogs on securing Elastiscsearch that it’s especially dangerous if the cluster is connected directly to the Internet where anyone can connect without using a password," he said. 

"With the countless possibilities of ‘quickly deploying a system in the cloud’, security is often overlooked by organisations. As datasets grow to this size, the data is becoming increasingly valuable to businesses and in some cases even more valuable than money. Unfortunately not everyone protects it like the valuable asset it is."

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews