The unsecured database contained records for every registered citizen of Ecuador, which included sensitive information, including their name, address, voting preferences, and even their government ID number.
First Published 18th September 2019
Thanks to this data leak, some Ecuadorian citizens now consider the capirote as the last line of identity protection.
4 min read | Reflare Research Team
Earlier this week, tech news website ZDNet published an article outlining a data breach affecting most of the citizens of Ecuador. In this briefing, we will take a look at what happened, what the likely impact will be and what this incident teaches us about how breaches happen.
What happened?
Around two weeks ago, two researchers associated with the company vpnMentor contacted ZDNet claiming that they had found an unsecured database containing personal information on almost every citizen of Ecuador. Upon investigation, ZDNet was able to confirm the claims. The database in question was an unsecured Elasticsearch instance. Elasticsearch is used to process extremely large datasets such as access logs, traffic information, scientific research and - as in this case - datasets of entire countries.
Since the database lacked access restrictions, anyone who found it could log in and issue queries which would then return the requested information. It is unclear if and how many attackers abused this insecure server before it was discovered by the researchers.
The database contained 20.8 million entries with several duplicates and outdated rows. Compared to Ecuador’s population of 16.6 million people, the entries are likely to cover most citizens. Data included names, family ties, birthdays, phone numbers, financial data, government registration numbers and car registrations. In short, anything an attacker could want to steal someone’s identity.
The vulnerable servers were operated by a company called Novaestrat, which offers analytics services for the Ecuadorian market. Whether the company had the rights to the data and how the data was gathered remains unclear at this point in time.
What will the impact be?
In the short term, both Novaestrat and Ecuador will come under increased pressure from both Ecuadorian citizens and the international press. We will likely also see a spike in identity theft cases targeting Ecuadorian citizens. Since the country’s institutions and companies will be quick to take preventative measures, these attacks will likely disproportionately affect Ecuadorians living abroad.
In the long term, we live in a world where almost everyone’s information has been breached at one point or another. The relevant question quickly changes from ‘have I been breached’ to ‘what is the most recent set of data on me that was breached’. We, therefore, expect the impact of this breach to taper out relatively quickly.
What can we learn from this case?
The breach highlights a central issue with modern information security:
The companies and agencies that have access to high-value data are often not prepared to handle it adequately. While Novaestrat’s servers were an extreme example, the majority of recent breaches were the result of negligence on the part of data owners. From misconfigured data stores to outdated server software to this freely accessible data source - the majority of breaches happen not because an unstoppable adversary unleashed sophisticated tools, but because the infrastructure was poorly secured.
While some jurisdictions like the EU and US have introduced legislation to make such negligence costly, many other countries have not. This, combined with the misplaced trust many organizations have in their own infrastructure leads and will continue to lead to many more breaches.