Personal and financial information of over 20 million Ecuadorian citizens were left exposed to public access by a data analytics and software development company who stored up to 18GB of documents in an unsecured ElasticSearch database.
The massive breach of personally-identifiable information, as well as financial details of the entire Ecuadorian population, was discovered by security researchers Noam Rotem and Ran Locar at vpnMentor while scanning ports to find known IP blocks.
During their analysis of the exposed database, the researchers found that the database contained minute personal and financial details of every Ecuadorian citizen, leaving almost nothing to the imagination. While going through the names of those whose information had been stored in the database, they found Wikileaks' founder Julian Assange's national identification number and other details as well.
Database stored PII, bank account info, and employment details
The list of personal details stored in the database included full names, gender, dates of birth, places of birth, home addresses, email addresses, home, work, and cell phone numbers, marital status, dates of marriage, dates of death (if applicable), and level of education. Considering that Ecuador's population is around 16 million, the database contained information on a large number of citizens who had passed away as well.
Records of every Ecuadorian in the database was also accompanied by a 10-digit national identification number. Financial records of Ecuadorian citizens stored in the database were not only restricted to bank account numbers, but also included account status, current balance in the account, amount financed, credit type, and location and contact information for the person’s local Biess branch.
The database also stored detailed employment information of Ecuadorian citizens such as names of employers, location of employers, tax identification numbers of employers, job titles, salary information, job start dates and end dates wherever applicable.
If you're wondering if anything's still left, the database also contained details of vehicles owned by citizens such as the car’s license plate number, make, model, date of purchase, most recent date of registration, and other technical details about the model.
Aside from storing almost everything one needs to know about Ecuadorian citizens, the database also contained details related to various companies in Ecuador. These details included companies' Ecuadorian taxpayer identification numbers (RUC), company addresses, contact information, and details about each company’s legal representative.
According to vpnMentor, the unsecured ElasticSearch database was owned by Novaestrat, an Ecuadorian company engaged in providing data analytics, strategic marketing, and software development services to other organisations. After it was alerted about the exposed database, Novaestrat closed public access to the database on 11th September.
Javvad Malik, security awareness advocate at KnowBe4, said that while this instance is another in a very long list of unsecured cloud-based databases leaking information to everyone, this is particularly significant due to the number of records and the sensitivity of the data.
"Most troubling perhaps being the data of children being stolen which can be used by criminals to set up fake identities, or take out loans against which the victims won't realize until further in life when they realize their credit is ruined," he noted.
Organisations must simplify cyber security to ensure compliance
"Companies and governments, in particular, should always secure their databases to ensure they are not publicly available. In addition, when dealing with third parties which may access, process, or store the data, they should undertake rigorous due diligence to verify the third party also adheres to good security controls.
"Finally, and perhaps most importantly - before creating such large databases, governments and companies should ask whether such a large collection is necessary, legal, whether or not they have the ability to secure it adequately, and what the impact of any breach would be," he added.
Todd Peterson, IAM evangelist at One Identity, said that this case further illustrates how organisations of all kinds are still getting security wrong because generally, security is a hassle to their business. No one likes entering user IDs and passwords and even fewer like entering the second factor of authentication that should be used by all organisations. Server misconfigurations are on the news every week, and in some cases lead to massive data leaks, such as the one suffered by the Ecuadorian civil registry.
"However, there are options to make the first and second factor of authentication less obtrusive so that users are more prone to do the right thing. Practices such as adapting the requirement based on risk, delegating permissions to prevent sharing of superuser credentials, and implementing multifactor authentication in a manner that is user friendly (such as via an app on the user’s phone) all improve security and minimise disruption," he added.