Posted on September 19, 2019 at 10:49 AM

The Biggest Leak in Ecuador’s History: Over 20 Million User Records Leaked from a Misconfigured Database

According to a recent report by security researchers at vpnMentor, the data belonging to pretty much the entire population of Ecuador has been leaked from an unprotected server. The misconfigured database contained personal details of around 20.8 million individuals, which is larger than Ecuador’s entire population (16.8 million).

Ecuador’s entire population exposed

The leak was discovered by two researchers from VPNMentor — Ran Locar and Noam Rotem. It contained personal data of the people of Ecuador, including some duplicate records, as well as entries belonging to deceased individuals. The exposed information includes names, genders, places and dates of birth, home and email addresses, phone numbers, marital status and details, education levels, financial information in regards to Ecuadorian national bank Biess, as well as employment information, such as job titles, salary data, and more. Not only that, but the reports also say that 6.7 million children got their data exposed, as well.

The leaky server belongs to a company known as Elasticsearch, and it was spread across several indexes. Two main categories stand out — data collected from the government sources, as well as the data from private databases.

So far, it appears that the data collected from the country’s government’s civil registry is more extensive. Most of the stolen information appears to be up to date,  with the newest entries being made in 2019. The information is also seemingly authentic, and it even includes the data of the country’s president, as well as Julian Assange, who previously received political asylum in the country.

The fact that the database contains family information might be significantly more concerning, as it includes all family members, family trees, and even the children. In other words, someone who may have harvested this data could, in theory, reconstruct the entire country’s family tree. The freshest information was included this spring, meaning that there is even data about the newborns from the first half of 2019.

As mentioned, 6.7 million entries belong to children and teenagers under the age of 18, and it also includes names, home addresses, gender, and more. This means that all of the country’s children are no exposed to potential identity theft, scams, phishing attacks, not to mention physical danger such as kidnappings since their names and home addresses got exposed as well.

Private sources-based data exposed as well

As concerning as all of this is, it only represents one category of data — that from the government sources. Another category, as stated earlier, comes from private sources, which mere mostly marked by the acronyms such as AEADE and BIESS.

BIESS, for example, is an acronym for Banco del Instituto de Seguridad Social. The data belonging to the bank include financial information for a large number of the country’s citizens, including account balance and status, the type of credit, and even the account owners’ job details, and more.

Then, there is AEADE, which is an acronym of Asociación de Empresas Automotrices del Ecuador. The data belonging to AEADE includes information about Ecuador’s citizens’ vehicles, such as license plates, car models, and alike. Approximately 2.5 million records display the vehicle-related information, and around 7 million records represent the financial data.

Similarly to the information regarding children, this is also very sensitive, and it would be considered extremely valuable by local criminals, and not to mention online criminals. Criminals would know who the richest people are, who has an expensive car, whether or not a house had children, and more. Combining this information could lead to a number of crimes, with potential kidnappings being among the most worrying.

The source of the leak

The main question that researchers were trying to solve is where did the leak come from. Eventually, they tracked it back to the company known as Novaestrat — a provider of analytics services in Ecuador. However, the company does not offer contact information, and attempts to reach its officials via social media were not successful at this time.

On the positive note, the database was secured over the course of the previous week after vpnMentor notified Ecuador Computer Emergency Response Team, which took action immediately.

It is also noteworthy that this is not the first time this year that Elasticsearch server has leaked sensitive information. Only a month ago, in August, a similar case exposed the data of voter records in Chile. Around 14.3 million voters got exposed, which is around 80% of Chile’s population.