Police raids after data on most of Ecuador’s citizens leaks online

It’s bad enough when a company suffers a data leak that exposes the personal information of its customers. But things can be even worse when the business suffering a data breach was storing the detailed information about potentially the population of an entire country.

Researchers at vpnMentor report that they were able to access data on a Miami-based ElasticSearch server, that was not protected by a password.

The server, which the researchers say appeared to belong to Ecuadorian consultancy firm Novaestrat, contained details of more than 20 million citizens in the South American country of Ecuador.

As Ecuador only has a population of some 16 million people, it’s likely that some of the records are duplicates or related to individuals who have since deceased.

Information exposed in the breach includes individuals’:

  • full name
  • gender
  • date and place of birth
  • home address
  • email address
  • phone number
  • marital status
  • date of marriage
  • level of education
  • date of death (where applicable)
  • family tree information
  • national ID card number

Over 6.7 million database entries relate to children under the age of 18.

In addition, sensitive information contained in the exposed databases includes care registration details, employer information, and millions of financial records and bank balances, and even the branch where accounts were opened.

According to the researchers, the data appears to have been sourced from the Ecuadorian government, automotive association AEADE (Asociación de Emprees Automotrices del Ecuador) and Ecuadorian national bank Biess.

Such information, if it fell into the hands of criminals, could clearly be exploited for fraud on a massive scale. It’s easy to imagine, for instance, how individuals exposed by the breach could be targeted by scammers via email and telephone – using the leaked data to make the communications appear more legitimate.

To the amusement of some, victims of the breach include Wikileaks founder Julian Assange who spent seven years hiding from British police in the Ecuador’s British embassy until his detention earlier this year.

Whatever you might think of Assange and the practices of Wikileaks, he doesn’t deserve to have his personal information exposed on the internet anymore than anyone else.

Although the leaking ElasticSearch server has been closed soon after vpnMentor’s researchers got in contact, that’s naturally not enough to allay concern in Ecuador about damage which might have been done.

On Monday, police in Ecuador raided the home of one of Novaestrat’s directors, seizing computer equipment and taking him in for questioning.

Telecoms minister Andres Michelena posted on Twitter that if it was confirmed that Novaestrat staff violated the personal privacy of Ecuadorians, “it is a criminal offense that must be punished.”

This incident underlines once again that even if you do everything in your power to keep your personal information safe and secure, you are powerless to do anything other than hope that companies are doing a good enough job to protect your data. And sometimes the organisations which end up leaking your data may be ones you have never heard of, and never realised were storing your sensitive information without your knowledge.

*** This is a Security Bloggers Network syndicated blog from HOTforSecurity authored by Graham Cluley. Read the original post at: