The humongous collection of extensive personal details about millions of people could be a gold mine for scam artists
Two weeks ago, the firm discovered a misconfigured Elasticsearch server that was packed with personal data on most of Ecuador’s citizens, including children. The server – which is hosted in Miami but is believed to be owned by an Ecuadorean consulting company called Novaestrat – was left unsecured for an unknown period of time.
The cache of data weighed in at 18 gigabytes and comprised various personal details, including full names, dates of birth, addresses, phone numbers, ID numbers, family information, financial details, and car registration numbers. As many as 20 million individuals may be impacted, said the researchers, although this count includes duplicate records and records for deceased people.
The leak was eventually plugged on September 11th, but not until Ecuador’s Computer Emergency Response Team (EcuCERT) had to step in. Per ZDNet, which got the scoop on and examined the leak, Novaestrat initially took no action to secure it.
Meanwhile, Ecuador’s telecommunications ministry said (in Spanish) that Novaestrat had obtained the data in an illegal manner. In fact, the country’s interior minister María Paula Romo announced that the firm‘s managing director, identified as William Roberto G., had been detained on Monday.
The information apparently originates from Ecuadorean government sources, as well as from a local automotive association called AEADE and a state-owned bank known as BIESS.
It’s unclear whether or not the unsecured database was accessed by bad actors before being spotted by the researchers. The personal details could be immensely useful for all manner of scammers, who could leverage them for convincing and highly targeted social engineering campaigns.
Data exposures caused by leaky servers are certainly not uncommon, but this security and privacy lapse is notable for its sheer breadth and depth. In fact, it may bring echoes of an incident in Chile from just weeks ago that had the personal data of 80% of the country’s population exposed in another ‘nationwide leak’, also courtesy of an unsecured Elasticsearch cluster.
Meanwhile, a data breach at credit bureau Equifax two years ago saw hackers steal extensive personal data on half the US population, as well as hundreds of thousands of Canadians and Brits. In Bulgaria, bad actors recently breached the country’s tax agency and made off with personal data on almost all of the country’s taxpayers.