Incident Of The Week: Cloud Misconfiguration Exposes 20 Million Ecuador Citizen Records
Data Analytics Firm Under Investigation, Executives Arrested In Privacy Breach
The advent and proliferation of cloud services has resulted in larger data sets that companies can use to analyze operational and customer data for insights. The adoption of cloud services have also resulted in exposing millions of records containing sensitive company data and personally identifiable information (PII).
Companies are not the only entities embracing the cloud. Government agencies are also undergoing IT transformations that utilize the cloud and these databases have experienced misconfigurations similar to commercial applications. This month, vpnMentor security researchers Noam Rotem and Ran Locar discovered an Elasticsearch server housed in Miami, Florida that contained 20 million personal records from citizens of Ecuador, reports ZDNet.
The South American country has a population of 17.4 million, according to United Nations estimates. An analysis of the approximately 20.8 million records in the database by ZDNet suggested that duplicate and outdated records were part of the collection plus citizens that have since passed away.
Data contained individual and family relationship data along with addresses, relationship status, and national ID numbers. The family details within the database were so well-documented that it was believed that entire family trees could be reconstructed with the data discovered.
The analysis found records of government officials, including Ecuadorian president Lenín Moreno, and famous persons such as WikiLeaks founder Julian Assange, who received political asylum in Ecuador during 2012 and was issued a cedula national ID number.
Surprisingly, the database not only contained government info but also contained private databases. Two particularly interesting labels suggested that Banco del Instituto Ecuatoriano de Seguridad Social financial details and Asociación de Empresas Automotrices del Ecuador automotive ownership and vehicle licensing details were additionally accessed.
A mega-breach of government information on its citizens is bad enough. When combined with personal financial data and vehicle ownership, the combo creates a treasure trove for criminals to launch targeted attacks against wealthy households with children and expensive vehicles.
The database host appeared to be Novaestrat, an analytics and software development company focused on the Ecuadorian financial market. When the researchers were unable to reach the company, vpnMentor contacted the Ecuador Computer Emergency Response Team (CERT) to inform it of the database findings. Federal authorities began an investigation and local police officials arrested Novaestrat’s CEO and General Manager.
The investigations are on-going though government officials have suggested that Novaestrat was a contractor for a previous government administration and may have received the data as part of its business arrangement. There’s also no evidence that the data was compromised despite it be found in plain view due to the server misconfiguration. A data privacy violation may be the only law broken; however, Ecuador privacy laws are viewed as outdated.