Researchers have uncovered a large data breach thought to impact the majority of the population of Ecuador, including records belonging to WikiLeaks founder Julian Assange.
Information leaked in the Ecuador data breach includes official government ID numbers, family records, phone numbers, marriage dates, education histories and work records.
The huge data breach was discovered by vpnMentor security researchers Noam Rotem and Ran Locar, who worked with ZDNet to publish the story. The unsecured cloud server, located in Miami, Florida, contained 18 GB of data, including the personal details of over 20 million individuals, with the majority from Ecuador.
The most recently available figures put the population of the South American country at 17.4 million, which means it’s likely every citizen has been affected by the Ecuador data breach. vpnMentor attributes the figure being larger to duplicates and some being deceased.
According to the researchers, it appears that the server belongs to Novaestrat, an Ecuadorian consulting company.
The database looks likely to contain “information obtained from outside sources” which may include Ecuadorian government registries, an automotive association called Aeade, and Banco del Instituto Ecuatoriano de Seguridad Social (Biess), an Ecuadorian national bank.
What did the database contain?
The database contains identifiable and sensitive information, including information belonging to 6.7 million children. This includes full names, genders, dates of birth, home addresses, email addresses, marital status, home, work and mobile phone numbers of many individuals. For Biess account holders, this also includes account balance and credit type.
The database also contains information on individuals’ family members, including the full names of their mother, father and spouse. It also contains details of employment, including employer name, employer tax identification number, salary information and job title.
Among the records were details belonging to Wikileaks founder Julian Assange, who was granted political asylum in the Ecuadorian embassy in London in 2012 before being arrested in 2019 after Ecuador withdrew his asylum. His name, and a number thought to be a national identification number are viewable within the database.
As well as information related to individuals, the database also contains the company records of various organisations in Ecuador including each company’s address and contact information.
Access to the exposed server has since been revoked by Ecuador’s computer emergency security team.
It is unclear exactly how the data was gathered by Novaestrat, although ZDNet said it appears to come from both government sources and private databases.
“In some ways it’s quite ironic that we only found out about this leak because a third party had not protected their dubiously acquired data,” said Stuart Sharp, vice president of solution engineering at OneLogin.
“How the original data was acquired is perhaps the bigger story, something we may never get to the bottom of. This breach serves to demonstrate that organisations are still struggling to protect their data.”
Response to Ecuador data breach “very slow”
As part of their large-scale web mapping project, the vpnMentor researchers routinely scan ports to find known IP blocks, looking for vulnerabilities that suggest that a database has been left online without protection.
Rotem told Verdict that the exposed database was “an Elasticsearch cluster on top of a Hadoop cluster, sitting on an unsecured server in Florida”.
He added that the team had “no response” from Novaestrat and that the Ecuadorian emergency security team’s response was “very slow”.
“I had to take the name of the person who contacted me from the CERT [computer emergency response team], pull data from the database, and send it to them for them to understand the impact of the breach,” said Rotem.
“Long-lasting privacy issues”
The volume and type of data exposed in the Ecuador data breach would prove highly valuable to would-be criminals for a variety of purposes, from phishing to identity theft. The researchers have said that the information “may already be in the hands of malicious parties”.
“We all know that data is the new gold. The monetisation of valuable up-to-date data is relatively easy,” said Felix Rosbach, product manager at Comforte, a data security firm. “Some of the companies that offer analytics services don’t care about privacy and data protection – or it’s not their priority.
“This time, unfortunately, innocent children are among the victims. And it’s not only identity theft that can be a consequence. Connecting financial information and family information can lead to gangs targeting and kidnapping children of rich families.”
Researchers have said that the leak is “particularly serious simply because of how much information was revealed about each individual” and could create “long-lasting privacy issues for affected individuals”.
According to Engadget, Ecuadorian government departments have been hit with a wave of cyberattacks following the arrest of Julian Assange earlier this year, thought to be in response to the country’s decision to expel Assange from its embassy.