Two security researchers working for vpnMentor, Noam Rotem and Ran Locar, have an impressive record of uncovering massive data leaks. Now the dynamic duo has, with the help of ZDNet reporter Catalin Cimpanu, exposed one of the most mind-boggling security blunders to date: the leaking of personal information about what is thought to be the entire population of Ecuador.
How has the population of Ecuador been put at risk?
Some 20.8 million records, within 18GB of data, were exposed on an unsecured server located in Miami, Florida, which appears to be owned by an Ecuadorian company, according to the researchers. The entire population of Ecuador is 16.6 million; the difference can be accounted for by way of duplicated records and others which are not related to citizens of the South American country.
Get started on your cybersecurity degree at American Military University.
“The majority of the affected individuals seem to be located in Ecuador,” the vpnMentor report states, “although the exact details remain unclear, the leaked database appears to contain information obtained from outside sources. These sources may include Ecuadorian government registries, an automotive association called Aeade, and Biess, an Ecuadorian national bank.”
The Julian Assange connection
The unsecured database included an entry for WikiLeaks founder Julian Assange, having been granted political asylum by Ecuador in 2012. Cimpanu said that “we were able to find records for the country’s president.” However, the vast majority of the data related to ordinary citizens along with their family members, including children, spouse and parents. This meant it was possible “to reconstruct family trees for the entire country’s population,” Cimpanu said.
What information was in the exposed database?
The type of personal information found included:
- full name (first, middle, last)
- date of birth
- place of birth
- home address
- email address
- home, work, and cell phone numbers
- marital status
- date of marriage (if applicable)
- date of death (if applicable)
- level of education
- employer name
- employer location
- employer tax identification number
- job title
- salary information
- job start date
- job end date
If the individual held a bank account with the Ecuadorian national bank, then additional information included:
- account status
- current balance in the account
- amount financed
- credit type
Is the database still exposed online?
The database was closed thanks to an intervention from the Ecuador Computer Emergency Response Team (CERT) after it was contacted by the researchers who were unable to find any way of contacting the company thought to be behind the database. That will be of little comfort to the citizens of Ecuador whose data has been exposed to the world, something that cannot be undone. If the security researchers could find the open server, then so could cyber-criminals who may well already be using it to commit identity fraud or as part of phishing scams to grab credentials.
The security expert opinion
“Criminals of both the cyber non-cyber varieties will be smiling like an evil raccoon,” Ian Thornton-Trump, head of cybersecurity at Amtrust International, says. “From the cyber perspective, sensitive data like the information disclosed tends to validate the information used in targeted phishing and fraud scams,” Thornton-Trump says. And in an area of the world where kidnappings, ransom and human trafficking are by no means uncommon, Thornton-Trump says, “criminals of all types will exploit this information for malicious ends in the physical or cyber world.”
“Companies and governments, in particular, should always secure their databases to ensure they are not publicly available,” Javvad Malik, security awareness advocate at KnowBe4 said, “in addition, when dealing with third parties which may access, process, or store the data, they should undertake rigorous due diligence to verify the third party also adheres to good security controls.” Malik also said that before creating such large databases, governments and companies should ask whether such an extensive collection is actually “necessary, legal and whether or not they have the ability to secure it adequately.”
More on Forbes