Unsecured server exposes data for 85% of all Panama citizens

The server contained patient data, but no medical records were exposed -- only personally identifiable information (PII).
Written by Catalin Cimpanu, Contributor
Panama City

An Elasticsearch server left connected to the internet without a password, or firewall protection, has leaked what appears to be personal records and patient information for roughly 85 percent of Panama's citizens.

The leaky server was found online last week by Bob Diachenko, founder and security researcher with Security Discovery.

The Elasticsearch server, a technology used to power fast search systems, contained 3,427,396 user records labeled as patient data. The data was valid, in ZDNet's assertion.

Judging that Panama's last census listed the country having a population of 4,034,119 citizens, it appears that personal records for 84.96% of all Panamanians was exposed online during this server mishap.


The information here is a treasure trove for online fraudsters, although, the good news is that no financial was present in the database.

Information stored in the leaky Elasticsearch server included names, home addresses, phone numbers, email addresses, national ID numbers, dates of birth, medical insurance numbers, and other, per Diachenko's analysis.

Not all database entries contained the same type of information, and for some users, only part of this data was present in the database. Furthermore, there was no indication that the database stored details about a patient's medical records, past conditions, treatments, or so on, Diachenko told ZDNet.


The database was secured over the weekend after Diachenko notified the Computer Emergency Response Team (CERT) of Panama.

The leaky server also did not contain any clues about its ownership, and this still remains a mystery today.

Nonetheless, the company or state agency believed to be running the Elasticsearch server doesn't appear to have good security practices.

The same IP address where the Elasticsearch cluster was hosted also exposed RDP endpoints over the internet, allowing anyone to launch brute-force attacks and attempt to compromise the company's network. Such endpoints should normally be exposed online from behind a firewall that strictly limits who can access them.

Data leaks: The most common sources

More data breach coverage:

Editorial standards