Personal records of more than 20 million adults and children, both dead and alive, were found publicly exposed on an unsecured Elasticsearch server by security firm vpnMentor, which made the discovery during its large-scale mapping project.
For a country with a population of over 16 million people, the breach exposed details of almost every Ecuadorian citizen, including President Lenín Moreno as well as WikiLeaks CEO Julian Assange, who was given political asylum in the country in 2012.
The unsecured Elasticsearch server, which was based in Miami and owned by Ecuadorian company Novaestrat, contained 18GB cache of data appeared to have come from a variety of sources including government registries, an automotive association called Aeade, and an Ecuadorian national bank called Biess.
Data Breach Exposes Personal Data of Almost Entire Ecuador Population
The cache reportedly contained everything from full names, gender, dates and places of birth, phone numbers and addresses, to marital statuses, national identification numbers (similar to social security numbers), employment information, and details of education.
The cache also contained specific financial information related information to accounts held with the Ecuadorian national bank Biess, including person's bank account statuses, current balances and credit type, along with detailed information about individuals' family members.
notified the Ecuadorian Computer Incident Response Center (EcuCERT) of the breach, who then immediately informed Novaestrat, the online data consulting firm in the city of Esmeraldas who owned the unsecured server, which was later taken offline on September 11.
Authorities Investigating Company Allegedly Responsible for the Leak
As part of the investigation, Ecuadorian officials also said in a statement on Tuesday that they had arrested the manager of Novaestrat identified as William Roberto G and seized electronic equipment, computers, storage devices, and documentation during a raid at his home.
Roberto has been taken to the Ecuadorian capital, Quito, by the authorities for questioning and may face criminal charges.
Also, given the privacy concerns surrounding the incident, the country's Minister of Telecommunications said legal actions would be taken against the affected institutions to sanction private companies responsible for violating privacy and publicizing personal information without authorization.
The Minister of Telecommunications also said it is planning to pass a new data privacy law in the country, which they have been working for the past eight months, to protect the personal data of its citizens.
This is not the first time when the country has suffered a significant data security breach.
In 2016, hackers managed to steal $12 million from an Ecuadorian bank, Banco del Austro (BDA), by breaching its Swift payment system.
However, the latest Ecuador's breach recalled Bulgaria history's biggest data breach that took place on July 2019 and exposed personal and financial information of 5 million adult Bulgarian citizens out of its total population of 7 million people—that's over 70% of the country's population.