An investigation by a group of information security experts from the firm vpnMentor discovered a massive data breach that has affected more than 20 million citizens of Ecuador; it appears that the exposure of this information has occurred due to a database with poor security measures.
The researchers, led by Noam Rotem and Ran Locar, discovered the misconfigured server containing this gigantic database in Florida, US. The evidence collected so far suggests that the Ecuadorian company Novaestrat owns that server. The company involved provides marketing services, data analysis, among other services.
Experts found this exposed database while working on a large-scale web mapping project. After the founding, vpnMentor experts contacted the company involved to inform them about the incident, as well as making some security recommendations.
Information security experts say the database contains a considerable amount of highly sensitive information, mostly belonging to Ecuadorian citizens; although no further information is available at the moment, the details publicly mentioned by experts suggest that the database was integrated with information collected by other organizations.
Among the public organizations and private companies that collected the information stored in this database are some instances of the government of Ecuador, the Ecuadorian bank Biess and an automotive association called Aeade. It is not known how long the database remained exposed, although it was secured on September 11. Among the exposed information are details such as:
- Full names
- Birth dates
- Email address
- Phone numbers
- Marital status
- Level of study
In their report, information security experts say they were even able to access the records associated with Julian Assange, activist and founder of WikiLeaks, who remained a long-time refugee at the Ecuadorian embassy facilities in London.
The incident has not only impacted millions of individuals. Multiple companies operating in Ecuadorian territory have also seen their information exposed, including tax details, business emails and contact data of hundreds of executives at these companies.
Although the breach has already been secured, due to the type of information exposed the affected persons could remain exposed to various risks for an indefinite time, perhaps years. Information security specialists at the International Institute of Cyber Security (IICS) claim that exposed information could be exploited by cybercriminals for massive spam, phishing and invasive advertising campaigns.
“Using the exposed personal information a criminal could even contact one of the affected persons directly to extract even more personal information, such as financial information and login credentials for email services or social media platforms,” experts say. As for the companies affected by the incident, some potential security risks include commercial espionage and fraud attempts through business email accounts.