Ecuadorian authorities arrested the IT director of the Novaestrat consultancy on September 17, and are holding him responsible for the leakage of the personal data of 20 million Ecuadorians.
This number is particularly surprising because it’s greater than the country’s entire population, which is currently 16 million. Faced with the gravity of the situation, the Ecuadorian government immediately proposed that Congress pass a data protection bill.
In addition to the fact that this data can be used by criminal elements in three different ways (see below), this case is a crucial warning of the importance of monitoring sensitive and private government and corporate data.
The leaked data of the Ecuadorian citizens includes full names, addresses, emails, ID and tax numbers, employment information and more. Also included are bank and financial data, such as account numbers, balances and loans. Level of education is even in there!
It’s approximately 18 GB of data. However, the database doesn’t appear to be Novaestrat’s alone, despite its being hosted on the company’s servers. According to vpnMentor, which discovered the leak and reported it in its blog, the leaked records may include data from the Ecuadorian government, the Ecuadorian national bank (BIESS), as well as the national association of automotive companies (AEADE).
The other four million records, exceeding the size of the Ecuadorian population, includes people who have died or once resided in the country. In that latter category is found the famed Julian Assange, whose data was also exposed!
The WikiLeaks founder, mentioned in the announcement, took political asylum in Ecuador in 2012. Redacted data about him was released:
VpnMentor also spotted sensitive data related to taxes paid by Ecuadorian companies. Ecuadorian taxpayer identification numbers were found among the companies’ addresses, the names of their legal representatives and contact information.
There are three ways that this leaked data can be used to financially exploit and/or steal information that’s even more sensitive. Such dangers were also noted in the vpnMentor report:
Cybercriminals can create targeted scams—generally via email, as in the case of spear phishing—that capture the victim’s confidence once they are “seduced,” and develop credibility by including data such as their parents’ names and address.
Cybercriminals can use personal identity data to create “orange” accounts and launder money. Such accounts are in high demand on the deep and dark web.
Information leaked from companies may provide access to systems and enable criminal acquisition of sensitive internal data. A very common practice of this type is the use of executives’ data.
The problems created by the Novaestrat leakage fall into three categories. They are characteristic of a lack of commitment and respect for the users’ data:
VpnMentor went on to stress that data exposure cannot be undone. Even with the fix, information may already be in the wrong hands, and that creates the need for remediation of future exposures.
Data from IBM indicate that, globally speaking, companies delay an average of 197 days (six months and 17 days!) to contain a data leakage situation. That done, it’s still necessary to do a clean sweep of all channels that may be hosting the sensitive information.
In general terms, this is nothing less than an ethical problem: Every company must take responsibility to clean up its own “mess.” Considering the immensity of the Internet, it can be frustrating just to think about this. But correct tools and technological advancement show that it is possible to turn this situation around.
That’s what Axur One is here for: With the efficiency of thousands of bots and the intensive use of machine learning, it is possible, with just a few clicks, to monitor and respond to risks such as data leaks. Check out our website to better understand this solution.