As reported by ZDNet, there’s an unprotected Elasticsearch server that contains over 20.8 million user records. The publication got an exclusive tip from vpnMentor’s Noam Roten and Ran Locar, who discovered the database and analyzed it together with C. Cimpanu. As it became quickly evident, the data belongs to Ecuadorians, spreading across various Elasticsearch indexes that look like they have been populated from different sources. For the small South American country that has a total population of 16.6 million citizens, this security incident is probably the worst in their history.
The reason why the total number of records surpass that of the population of Ecuador is that there are duplicate entries in the database. Apart from that, the details contain full names, family members, civil registration data, financial information, work registry information, and even car ownership details such as plate numbers. Of course, home addresses, places of birth, dates of birth, marital status, national ID numbers, taxpayer-identification numbers, phone numbers, and even education levels are also to be found in the database. The database contained data that goes all the way from 2002 to 2019, while there were 6.77 million entries that correspond to children under the age of 18. The information that concerned the underage citizens includes their full names, place of birth, home address, and gender.
A very probable deduction would be that the owner is some kind of a government agency, but the researchers noticed that two of the contained indexes belong to the Banco del Instituto Ecuatoriano de Seguridad Social and the Asociación de Empresas Automotrices del Ecuador. This led to the private entity named “Novaestrat”, which is an analytics services firm in the country. Although the company remained totally unresponsive to ZDNet’s notifications, they did finally secure the leaking server a week after its discovery. However, they haven't provided any explanations or released a public notice about the incident.
As the scale of the 18GB data leak covers the entire population of Ecuador, sending notifications to them right now is pretty much worthless. The country’s personal data protection agency needs to take control of the situation now and do the needful to protect their citizens as well as to punish everyone responsible for the leak. While the database is now closed, the information may have already leaked. This opens up possibilities for fraud, identity theft, phishing, car plate counterfeiting, business espionage, and more. If you are an Ecuadorian citizen living in the country or elsewhere, beware of the possible consequences.
What would you consider a fair punishment to Novaestrat and anyone who agreed to share citizen data with them? Let us know of your opinion in the comments down below, or on our socials, on Facebook and Twitter.