Ecuador police have arrested an executive of data analytics firm Novaestrat, which was found responsible for the massive data leak that has affected most of Ecuador's population.
Ecuadorean officials said in a statement that they have detained William Roberto G, identified as the legal representative of Novaestrat. He is being questioned as part of the official investigation after vpnMentor exposed the staggering data breach, the largest in scale in Ecuador’s history.
The breach happened after the local data analytics business left an Elasticsearch server exposed online without a password, leaving the personal information of millions of Ecuadorians, including 6.7 million children, open for all.
According to researchers at vpnMentor, the database of about 18GB of data held 20.8 million records. The unsecured Elasticsearch server owned by the Ecuadorian company was located in Miami, Florida.
"Although the exact details remain unclear, the leaked database appears to contain information obtained from outside sources. These sources may include Ecuadorian government registries, an automotive association called Aeade, and Biess, an Ecuadorian national bank," said the report.
The information leaked included detailed personal information including full name, gender, age and residence, official and personal and mobile phone numbers, family details and levels of education
The government reacted swiftly, naming Novaestrat as the source of the leak.
"This arrest shows how seriously authorities are taking the security of people’s personal information. While it is not clear how Novaestrat came to be in possession of the data, the Ecuadorian authorities have acted quickly and are demonstrating an urgency to find out," said Edgard Capdevielle, CEO of Nozomi Networks.
Ecuador's president Lenín Moreno has reportedly asked the government officials to speed up the process of drafting and enforcing a new data privacy law.
In a statement on an official government website, telecommunications minister Andres Michelena Ayala said his office has been working on the new data privacy law for the past eight months and a draft will be submitted to the parliament in the coming days.
"The fact that such a significant volume of data mysteriously ended up on Novaestrat’s servers and was stored insecurely certainly raises a number of questions and highlights the growing need for countries impose data privacy regulations which prevent such incidents from happening," Capdevielle said.
"Ecuador is not alone in moving citizen data or critical applications into the cloud," said David Higgins, EMEA technical director at CyberArk.
"But if government organisations or private companies are going to go down this route, they need to understand that the cloud provider will only secure what they are putting into the cloud up to a point," he said.
The official policy of leading cloud service provider Amazon Web Services (AWS) states that it will ensure that only authorised parties have physical access to their data centres and will run the related network security appliances, such as IPS devices, IDS devices and firewalls. It also monitors logs for security alerts and address any related issues of the security of the network itself.
However, the code put in by the customer company does not belong to Amazon. If there is a vulnerability in the company code and a hacker exploits it, the company will be held responsible.
"Public cloud providers provide straightforward guidance on their shared responsibility models for security and compliance in cloud environments. However, many organisations ignore this," said Higgins.
"The recent data from CyberArk’s annual Global Advanced Threat Landscape report found that around half of global organisations don’t have a strategy in place for securing privileged data and assets in the cloud. This represents an open door for anyone that might wish to access them," he added.