With a population of about 16.5 million, Ecuador is one of the larger countries in South America. Every last one of those citizens, along with potentially millions of visitors and businesses with a presence in the country, now has to wonder if their sensitive personal information is in the hands of hackers. The Ecuador data breach of early September saw a small and relatively newly-formed company gain access to a shocking amount of personal data at the national level, and then leave it exposed in an unsecured database connected to the internet. This was owed in large part to Ecuador having almost nothing in the way of data privacy laws on the books; the one positive outcome of the breach is that it forced the country to fast-track much more robust protections for its citizens.
The Ecuador data breach of September 2019
The Ecuador data breach was discovered by security researchers Noam Rotem and Ran Locar of vpnMentor. The pair has made the news several times in recent months for discovering similar high-profile breaches, usually involving unsecured servers and cloud databases containing significant amounts of personal information.
The unsecured database, which appears to have contained information on just about the entire population of the country (20 million people in total), is owned by small data analytics firm Novaestrat. The vpnMentor researchers found about 18GB of data, and indicated that some data may belong to deceased citizens of the country. The breach was closed on September 11.
The information was organized according to the country’s national ID numbers, used primarily for taxpayer identification. Attached to these ID numbers was a wealth of contact information: full name, home address, various known phone numbers, email address, date and place of birth, marital status, date of marriage and date of birth. Dates of death were also available for deceased citizens.
Some accounts had much more detailed information in them, however. Holders of accounts with the Ecuadorian national bank Biess had their account information exposed in this breach. The files contained their account status, current balance, information on any lines of credit or financing they might have, and which local bank branch they are known to use.
The Ecuador data breach also exposed family connections. Each person’s file contained a link to family members such as their parents and their spouse. And many files contained detailed information on the subject’s employment status: their employer’s name and location, the employer tax ID number, job title, salary and their start and end dates. Some also contained automobile registration information, such as license plate numbers and details about the car’s make and model.
Ecuadorian businesses were also exposed by way of files connected to their tax ID numbers. In addition to the connections with their individual employees, these records exposed contact information for each company’s legal representative.
An interesting side note is that the researchers found an entry for Wikileaks founder Julian Assange among these records. Assange, who is currently being held as a flight risk while the United States pressures the UK to extradite him, apparently had an Ecuadorian national identification number assigned to him during his lengthy stay in their embassy.
High risk for Ecuadorian citizens
The information leaked in the recent Ecuador data breach is an all-you-can-eat buffet for threat actors. It’s virtually everything an identity impersonator or scam artist could want short of usernames and passwords to financial accounts. Ecuadorian companies also have to be wary of this information being used in attempts to defraud them.
Javvad Malik, Security Awareness Advocate for KnowBe4.com, expanded on the unique risks presented by the Ecuador data breach:
“The Ecuador breach is another in a very long list of cloud-based databases leaking information to anyone with an internet connection.
“But this is particularly significant due to the number of records and the sensitivity of the data. Most troubling perhaps being the data of children being stolen which can be used by criminals to setup fake identities, or take out loans against which the victims won’t realize until further in life when they realize their credit is ruined.
“Companies and governments in particular should always secure their databases to ensure they are not publicly available. In addition, when dealing with third parties which may access, process, or store the data, they should undertake rigorous due diligence to verify the third party also adheres to good security controls.
“Finally, and perhaps most importantly – before creating such large databases, governments and companies should ask whether such a large collection is necessary, legal, whether or not they have the ability to secure it adequately, and what the impact of any breach would be.”
Ecuador has been slow to develop data privacy laws. The country passed a resolution establishing a right to data privacy in 2008, but took over a decade to come up with any specific regulations to add teeth to it. The first step was a law that went into effect in early 2019 that established some citizen rights to awareness of and control over how private companies use their data, with fines and sanctions (scaled to company income) backing them up.
It clearly wasn’t enough to prevent the September Ecuador data breach, however. It is not clear if any threat actors or other parties accessed this data prior to vpnMentor discovering it; the country’s attorney general issued a statement that was noncommittal.
This isn’t the first data privacy controversy for the Ecuadorian government. Earlier in the year, the country was criticized for importing facial recognition surveillance systems from China.
New data privacy laws in Ecuador
While the country has flagged to this point in implementing data privacy laws, the response to the Ecuador data breach has been very swift and decisive thus far.
The country began by raiding the house of a William Roberto, listed as the owner of Novaestrat, and confiscating computer hardware. They also brought him to the capital city of Quito for questioning, and it appears that the nation is considering criminal charges. While this sort of heavy-handed police response is certainly questionable in its own right, it is also night-and-day from the usual consequences for the leaders of companies that leave damaging personal data exposed.
The country indicated that Novaestrat was not supposed to be in possession of the information it had, but that it did not hack or gain unauthorized access to any of the country’s servers. That only raises more questions about how and why it wound up with all of this information, particularly when you learn that Novaestrat’s owner appeared to be working out of a home office (the compromised server was cloud-based and located in Miami).
Ecuador also accelerated the progress of a new personal data protection bill that has been under consideration for months, claiming that it would go before the National Assembly by September 23. The data privacy law has been described by several news sources as “drawing on” Europe’s General Data Protection Regulation (GDPR) as a model for some elements, but is far from being a clone of the EU’s stringent regulations.
Will it help?
While having some sort of enhanced data privacy law in place is likely going to be welcomed by Ecuadorian citizens, it remains unclear what the full terms of this bill are or if they are really in the best interest of the protected parties. While the Ecuadorian government has certainly taken too long in getting adequate protections in place, it is possible this is a swing too hard to the other side in an attempt to compensate for the lack of data protection laws.
The government response should certainly give businesses in Ecuador pause, however. Chris DeRamus, CTO of DivvyCloud, expanded on how these businesses can avoid an armed raid on their offices:
“The misconfiguration of an Elasticsearch server left 20.8 million user records exposed – more than the entire population of Ecuador which is about 16.6 million. We’ve seen numerous times how a misconfiguration can expose nearly every customer of a company, but this might be the first instance in which the people of an entire country were put at risk.
“Misconfigurations are frightfully common, but there are simple and highly effective ways to prevent them. All organizations, everywhere in the world, should deploy automated cloud security solutions that can ensure databases are configured correctly from the beginning, so there is never a risk of misconfiguration. Even as environments change (which is quite often, especially when dealing with the cloud), these solutions provide continuous monitoring and will alert the appropriate personnel in the event of a change that could lead to a security risk, or even trigger automated remediation in real-time. This way, Elasticsearch databases and other assets never have the opportunity to be exposed, even temporarily.”
However, ultimately it will be up to the people of Ecuador to vote in and pressure leadership that will not give contracts to shady characters that have access to national taxpayer databases while running a consulting firm from their home offices. Any new data privacy law will be meaningless if access to citizen data is as easy as it appears to currently be.