Connect with us

The Online Technology

Leaky database spills data on 20 million Ecuadorians and businesses – Naked Security

Security Watch

Leaky database spills data on 20 million Ecuadorians and businesses – Naked Security


Ecuadorian police on Monday searched the home of an attorney for the consulting and analytics company Novaestrat, seizing storage devices, documents and electronic equipment after what appears to be the company’s unsecured database – located in Miami – was found spilling deep data on over 20 million Ecuadorians.

…as well as data for one Australian by the name of Julian Assange, who was granted political asylum by Ecuador in 2012, and squirreled away in the Ecuadorian embassy in London up until April 2019.

This is an unprecedented breach for the country. In fact, there were more people’s data in that database than there are people living in Ecuador. As of 2017, the country only had a population of about 16.62 million, as pointed out by the team of vpnMentor researchers – led by Noam Rotem and Ran Locar – who found the breach.

The personally identifying information (PII) of those few extra million people could have come from deceased people, according to Ecuador’s state attorney general’s office and according to the “death date” record the researchers found – among many, many other sensitive types of information – in the database. According to a post from the state AG’s office, the cache also contained the PII of about 7 million minors.

vpnMentor said in its report, released on Monday, that its research team discovered the breach as part of its large-scale web-mapping project. One assumes it’s the same project that recently led the team to a leaky database stuffed with Groupon emails that turned out to belong to crooks who were ripping off ticket sellers using fake email accounts and stolen payment card details.

The leaky Ecuadorian database contained about 18GB of data, mostly pertaining to people apparently located in Ecuador. vpnMentor said that it appears to contain information coming from sources that may include Ecuadorian government registries, an automotive association called Aeade, and an Ecuadorian national bank called Biess.

According to the country’s telecommunications ministry, it received a report on the breach from vpnMentor on 11 September, and the leak was closed on the same day.

On Monday, 16 September, Telecommunications Minister Andres Michelena said that a personal data protection bill that’s been in the works for months would be sent to the National Assembly within 72 hours.

(Note that in its press release about the new data privacy law, the government used two similar spellings to refer to the data analytics company in question: Novastratech SA, which appears to be a computer hardware seller, and Novaestrat, which appears to be the company now under investigation and whose site was down as of Tuesday morning.)

Leonardo Granda, Sophos’s manager of Sales Engineering in Latin America, explained to Naked Security that Ecuador is just one country in Latin America looking at data protection laws.

Latin America is going through a process of digital transformation that is very important and the region lacks mature data protection laws. The pioneer in this area is Brazil that created the “general data protection law” in its acronyms LGPD, similar to GDPR in Europe, but in the rest of the countries of the region they are still trying to figure out how to advance in this matter.

Taxpayer IDs, bank account numbers, and so much more

The records were full of what identity thieves consider pure gold. People in the database were identified with a 10-digit ID code – a code that was referred to in some places in the database as “cedula” and “cedula_ruc”. In Ecuador, the terms “cédula” or “cédula de identidad” refers to an individual’s national identification number, which is similar to the taxpayer ID, or Social Security Number (SSN), used in the US.

The term “RUC” refers to Ecuador’s taxpayer registry: Registro Unico de Contribuyentes. Thus, vpnMentor researchers suggest that the “cedula_ruc” value may refer to Ecuadorians’ taxpayer ID number.

Real Life. Real News. Real Voices

Help us tell more of the stories that matter

Become a founding member

Other sensitive information in the database:

  • full name (first, middle, last)
  • gender
  • date of birth
  • place of birth
  • home address
  • email address
  • home, work, and cell phone numbers
  • marital status
  • date of marriage (if applicable)
  • date of death (if applicable)
  • level of education

The researchers also found bank details relating to the Ecuadorian national bank Biess (El Banco del Instituto Ecuatoriano de Seguridad Social), including:

  • account status
  • current account balance
  • amount financed
  • credit type
  • location and contact information for the person’s local Biess branch

They found still more, including the full name of the individual’s mother, father, and spouse, and were able to view each family member’s “cedula” value – in other words, what may be their national ID number.

Another part of the database held these employment details:

  • employer name
  • employer location
  • employer tax identification number
  • job title
  • salary information
  • job start date
  • job end date

And there’s more: vpnMentor also found automotive records that may be linked to individual car owners through their taxpayer ide­ntification number, including the car’s license plate number, make, model, date of purchase­, most recent date of registration, and other technical details.

The database was also leaking some Ecuadorian businesses’ information, including their Ecuadorian taxpayer identification number (RUC), each company’s address and contact information, and contact details and identity of the companies’ legal representatives.