The entire population of Ecuador has been impacted by an open database on an unsecured server, housing a massive amount of personal information collected from public-sector sources by a marketing analytics company.
The leaked database, which was found by vpnMentor’s research team, includes records for 20 million individuals, gleaned from Ecuadorian government registries, an automotive association called Aeade, and the Ecuadorian national bank (El Banco del Instituto Ecuatoriano de Seguridad Social, or Biess for short). Some of the entries are for deceased persons. Ecuador has about 16.5 million citizens in total.
Also included is a record for Julian Assange, the disgraced founder of Wikileaks, who until recently was a guest of the Ecuadorian government at the London embassy.
The concerning aspect of the database is the sheer depth of information that it exposed. It contains some typical data found in leaks such as full names, gender, date of birth, place of birth, home address, email address, home, work and cell phone numbers, and taxpayer IDs. But it also contains more granular information. This includes marital status, date of marriage (if applicable), date of death (if applicable), level of education – and even detailed information about family members.
“For each entry, we were able to view the full name of their mother, father, and spouse,” researchers said in a Monday blog post. “We were also able to view each family member’s ‘cedula’ value [Ecuador’s equivalent of a Social Security number].” They added that using that number, it’s possible to pull up each family member’s record.
And, the personal information doesn’t stop there. The collected data also includes various automotive records, such as a car’s license plate number, make, model, date of purchase, most recent date of registration, and other technical details about the model, all linked to individuals via their identification numbers. The Biess information meanwhile includes account status and balances, loan information, and the location and contact information for the person’s local Biess branch. And, also included is detailed job information, including employer name and location, job title, salary information and job start and end dates.
In total, the trove of data offers any attacker the ability to cross-reference and combine the data into a highly personal, richly detailed view of a person’s life.
The server is located in Miami. The vpnMentor researchers were able to trace it back to Ecuadorian company Novaestrat, which locked it down once notified.
It’s unclear why Novaestrat is housing so much personal data on Ecuadorian citizens or how it came to collect it in the first place. The company bills itself as a consulting company that provides “data analytics, strategic marketing and software development.”
“Why is that level of personal data from a government given to a marketing analytics company?” Chris Morales, head of security analytics at Vectra, told Threatpost. “What purpose does it serve? The number one rule of data protection is to not have the data. Especially when it is private data a government has shared with a third-party private company. That in itself is a bit scary.”
The data is detailed enough to place Ecuadoran citizens in serious danger from fraud, identity theft and social-engineering attacks of all stripes, the vpnMentor researchers noted.
“Although the data breach is closed, the leaked data could create long-lasting privacy issues for affected individuals,” they wrote. “This information leaves individuals at risk of email and phone scams…For example, a scammer could pretend to be a friend of a family member in need of financial help. They could back up the story with exposed personal information to build trust.”
The data breach could also have an impact on Ecuadorian companies. In addition to personal information, the data breach also revealed details related to various companies in Ecuador, including taxpayer identification numbers and each company’s address and contact information. The database also listed each company’s legal representative and provided their detailed contact information.
“The Ecuador breach is another in a very long list of cloud-based databases leaking information to anyone with an internet connection,” Javvad Malik, security awareness advocate at KnowBe4.com, said via email. “But this is particularly significant due to the number of records and the sensitivity of the data. Most troubling perhaps being the data of children being stolen which can be used by criminals to setup fake identities, or take out loans against which the victims won’t realize until further in life when they realize their credit is ruined.”
The incident is reminiscent in scale of the Equifax data breach that affected nearly the entire adult population of the United States. It also raises the specter of Cambridge Analytica in terms of marketing companies harvesting deep wells of information on private citizens.
Malik added, “Companies and governments in particular should always secure their databases to ensure they are not publicly available… and perhaps most importantly, before creating such large databases, governments and companies should ask whether such a large collection is necessary, legal, whether or not they have the ability to secure it adequately, and what the impact of any breach would be.”
Interested in the role of artificial intelligence in cybersecurity, for both offense and defense? Don’t miss our free Threatpost webinar, AI and Cybersecurity: Tools, Strategy and Advice, with senior editor Tara Seals and a panel of experts. Click here to register.