Ecuador is a country with almost 17 million inhabitants. It is no exaggeration to say that the information of most of them is at risk: the security company vpnMentor discovered a poorly protected server that, as such, exposed sensitive information from 20.8 million Ecuadorians. This is one of the biggest data leaks in Latin America.
The information comes from ZDNet, who learned from vpnMentor that the vulnerable server is located in Miami and is controlled by Novaestrat, a company that does market analysis in Ecuador. Analysts found that, despite being a private company, the exposed bases have data from the Ecuadorian government.
As already reported, the server revealed data for 20.8 million citizens. This number exceeds the estimated number of inhabitants of Ecuador because it contains duplicate, old records and, presumably, of deceased people.
But that does not mean that the exposed databases are all out of date. There are records that date back to recent years, including 2019. Many of them belong to children, which only exacerbates the situation: there are data for children under 18 registered every year between 2002 and 2019.
The variety of data is large. The server exposed information such as identity number, telephone number, wedding date, school history, work records, car ownership and financial details, for example.
The data is so complete that, in many cases, it is possible to trace family trees of families with information about each member. Even records about Lenín Moreno, the Ecuadorian president, and Julian Assange, who spent seven years at the Ecuadorian embassy in London, were found.
In all, Novaestrat exposed 18 GB of data. When the server was discovered, analysts initially thought that the databases belonged to the government of Ecuador, but they soon found databases from private entities there.
Two bases drew attention for their criticality. The first contains 7 million records from the Bank of the Ecuadorian Social Security Institute (Biess). This base revealed several financial data of citizens, such as account balance and type of credit contracted.
The second base, on the other hand, contains 2.5 million records about vehicles and their owners. This database was extracted from the Association of Automotive Companies of Ecuador (Aeade).
The severity of this exposure is immense. With the data obtained from the server, criminals can discover the financial situation of several people, scam using data from cars, identify children from wealthy families (increasing the risk of kidnapping) and so on.
It is not clear whether the data reached criminal hands. Anyway, steps have already been taken, since the server that was previously vulnerable is now protected.
However, the ZDNet and vpnMentor had difficulty contacting Novaestrat. The company does not report phone or e-mail on its website, nor has it responded to attempts to contact it on its Facebook page. Company employees were contacted on LinkedIn, but again there was no response.
The problem was only resolved after vpnMentor contacted the Ecuadorian Computer Incident Response Center (Ecucert).
Ecuadorian authorities are already investigating the case. The work is going to be extensive: the government of Ecuador must measure the extent of the problem and find out how such critical data ended up in the hands of a private company that, on top of that, did not take trivial care to protect them.