Go back Trends & News

20 Million Personal Data Records Leaked in Ecuador: A Wake-up Call for Businesses

By Andre Luiz R. Silva on October 11, 2019

Ecuadorian authorities arrested the IT director of the Novaestrat consultancy on September 17, and are holding him responsible for the leakage of the personal data of 20 million Ecuadorians. 

This number is particularly surprising because it’s greater than the country’s entire population, which is currently 16 million. Faced with the gravity of the situation, the Ecuadorian government immediately proposed that Congress pass a data protection bill.

In addition to the fact that this data can be used by criminal elements in three different ways (see below), this case is a crucial warning of the importance of monitoring sensitive and private government and corporate data.

 

What we found among the 20 million leaked records


The leaked data of the Ecuadorian citizens includes full names, addresses, emails, ID and tax numbers, employment information and more. Also included are bank and financial data, such as account numbers, balances and loans. Level of education is even in there!

It’s approximately 18 GB of data. However, the database doesn’t appear to be Novaestrat’s alone, despite its being hosted on the company’s servers. According to vpnMentor, which discovered the leak and reported it in its blog, the leaked records may include data from the Ecuadorian government, the Ecuadorian national bank (BIESS), as well as the national association of automotive companies (AEADE).

The other four million records, exceeding the size of the Ecuadorian population, includes people who have died or once resided in the country. In that latter category is found the famed Julian Assange, whose data was also exposed! 

The WikiLeaks founder, mentioned in the announcement, took political asylum in Ecuador in 2012. Redacted data about him was released:

Ecuador leak Julian Assange

 

Data leaked from companies

VpnMentor also spotted sensitive data related to taxes paid by Ecuadorian companies. Ecuadorian taxpayer identification numbers were found among the companies’ addresses, the names of their legal representatives and contact information.

 

One database, three different types of dangers


There are three ways that this leaked data can be used to financially exploit and/or steal information that’s even more sensitive. Such dangers were also noted in the vpnMentor report:

Phishing and malware

Cybercriminals can create targeted scams—generally via email, as in the case of spear phishing—that capture the victim’s confidence once they are “seduced,” and develop credibility by including data such as their parents’ names and address.


Identity theft and financial fraud

Cybercriminals can use personal identity data to create “orange” accounts and launder money. Such accounts are in high demand on the deep and dark web.


Corporate espionage and fraud

Information leaked from companies may provide access to systems and enable criminal acquisition of sensitive internal data. A very common practice of this type is the use of executives’ data.

 

Problems and lessons: The responsibility of companies


The problems created by the Novaestrat leakage fall into three categories. They are characteristic of a lack of commitment and respect for the users’ data:

  • Improper collection of data, allegedly from several sources, to form a single database, also demonstrating “collusion” with other companies
  • Incorrect storage of data on an unsecured and untrustworthy server, which allowed it to be exposed
  • Lack of action, failure to notify authorities, and “disappearing” from the public scene. (Novaestrat has taken down its website, along with all of its social network profiles.)

 

New problems: Digital risk protection is serious business

VpnMentor went on to stress that data exposure cannot be undone. Even with the fix, information may already be in the wrong hands, and that creates the need for remediation of future exposures. 

Data from IBM indicate that, globally speaking, companies delay an average of 197 days (six months and 17 days!) to contain a data leakage situation. That done, it’s still necessary to do a clean sweep of all channels that may be hosting the sensitive information. 

In general terms, this is nothing less than an ethical problem: Every company must take responsibility to clean up its own “mess.” Considering the immensity of the Internet, it can be frustrating just to think about this. But correct tools and technological advancement show that it is possible to turn this situation around. 

That’s what Axur One is here for: With the efficiency of thousands of bots and the intensive use of machine learning, it is possible, with just a few clicks, to monitor and respond to risks such as data leaks. Check out our website to better understand this solution.