The personal records of most of Ecuador's population, including children, has been left exposed online due to a misconfigured database, ZDNet has learned.
The database, an Elasticsearch server, was discovered two weeks ago by vpnMentor security researchers Noam Rotem and Ran Locar, who shared their findings exclusively with ZDNet. Together, we worked to analyze the leaking data, verify its authenticity, and contact the server owner.
The leaky server is one of the, if not the biggest, data breaches in Ecuador's history, a small South American country with a population of 16.6 million citizens.
20.8 million user records
The Elasticsearch server contained a total of approximately 20.8 million user records, a number larger than the country's total population count. The bigger number comes from duplicate records or older entries, containing the data of deceased persons.
The data was spread across different Elasticsearch indexes. These indexes contained different information, supposedly obtained from different sources. They stored details such as names, information on family members/trees, civil registration data, financial and work information, but also data on car ownership.
Based on the names of these indexes, the entire database could be split in two main categories, based on the data's supposed origin. There's data that appears to have been gathered from a government sources, and data that appears to have been gathered from private databases.
The data from government sources
The most extensive data was the one that appears to have been gathered from the Ecuadorian government's civil registry.
This data contained entries holding citizens' full names, dates of birth, places of birth, home addresses, marital status, cedulas (national ID numbers), work/job information, phone numbers, and education levels.
ZDNet verified the authenticity of this data by contacting some users listed in the database. The database was up to date, containing information as recent as 2019.
We were able to find records for the country's president, and even Julian Assange, who once received political asylum from the small South Americam country, and was issued a national ID number (cedula).
Family and kids data
But we only truly understood the extent of this data when we looked at an index named "familia" (family in Spanish), which contained information about every citizen's family members, such as children and parents, allowing anyone to reconstruct family trees for the entire country's population.
However, things didn't stop here. When looking at this index we also realized that there were entries for children, some of whom were born as recent as this spring.
For example, we found 6.77 million entries for children under the age of 18. These entries contained names, cedulas, places of birth, home addresses, and gender.
The table below shows the number of children records we found in the leaky database. With the exception of the past few years, the rest of the database entries are in tune with public reporting on the country's natality rate.
Number of entries
The leak of childrens' data is without a doubt the biggest privacy concern about this incident. This leak not only exposes children to potential identity theft, but also puts them in physical danger because their home addresses have been left exposed online for anyone to find.
The data from private sources
But this wasn't all what the database contained. While initially we thought vpnMentor security researchers stumbled upon a database belonging to the Ecuadorian government, this didn't turn out to be true.
At a closer look, the database also contained indexes labeled with the acronyms of private entities, suggesting they were either imported or scraped from those particular sources. Of note, two indexes were named BIESS and AEADE.
The first, BIESS, stands for Banco del Instituto Ecuatoriano de Seguridad Social, and contained financial information for some Ecuadorian citizens, such as account status, account balance, credit type, and information about the account owner, including job details.
The second, AEADE, stands for Asociación de Empresas Automotrices del Ecuador, and contained information on car owners, and their resective cars, including car models and car license plates.
In total, we found 7 million financial records, and 2.5 million records containing car and car owner details.
Just like the Elasticsearch index holding the data of children, these two indexes are also extremely sensitive. The information in both indexes would be as valuable as gold in the hands of criminal gangs.
Crooks would be able to target the country's most wealthy citizens (based on ther financial records) and steal expensive cars (having access to car owners' home addresses and license plate numbers).
Connect the about children and the data about financial records, and criminals would have a list of the most wealthy Ecuadorians, their home addresses, and if they had any children -- making it trivially easy to target and kidnap children from rich families.
The source of the data
When it came time to tracking down the source of this leak, both ZDNet and vpnMentor independently reached the same source, namely a local company named Novaestrat.
According to its website, the company provides analytics services for the Ecuadorian market. Its website boldy displays the statement "Make financial decisions with updated information of the entire Ecuadorian Financial System" [translated].
However, getting in contact with the company was not as easy as it sounded. The company did not display an email address or phone number where it could be reached. ZDNet reached out to the company via Facebook, and tried contacting employees via LinkedIn, to no success. The company's support forum yielded a PHP error when we tried registering an account.
The database was eventually secured later last week, but only after vpnMentor reached out to the Ecuador CERT (Computer Emergency Response Team) team, which served as an intermediary.
This is the second major leak of user data originating from a South American country in as many months. In August, ZDNet reported about a similar Elasticsearch server that exposed the voter records of 14.3 million Chileans, around 80% of the country's entire population.