If another leaky Elasticsearch server may seem a little anticlimactic, considering how frequently they occur, the latest find by security researchers might have more of a “wow” factor since it exposed information on nearly all of Ecuador’s 16.6 million citizens, 6.7 million of them children.
“The irresponsible handling of Personally Identifiable Information (PII) has literally put the identity information for generations of Ecuadorians at risk,” said JASK Lead Threat Analyst Kevin Stear. “It's truly tragic to think a child [who is] jeopardized now may suffer identity and online trust issues for their entire life.”
The 20.8 million user records, including names, birth dates, civil registration, bank account numbers and status, family members, work information and corporate tax identification numbers, came from multiple government and private sector sources and even boasted an entry for WikiLeaks founder Julian Assange, who was granted asylum by Ecuador in 2012 and holed up in the country’s London embassy for seven years until his arrest last spring.
Other sources of the data appear to be automotive association Aeade and Ecuadorian national bank Biess.
“One of the most concerning parts about this data breach is that it includes detailed information about people’s family members,” researchers at vpnMentor, led by NoamRotem and Ran Locar, wrote in a blog post, explaining that server is likely owned by Novaestrat, an Ecuadorian consultancy. “For each entry, we were able to view the full name of [a citizen’s] mother, father and spouse. We were also able to view each family member’s ‘cedula’ value, which may be a national identification number.”
The researchers disclosed the find on September 11.
“The bigger question I have is why is that level of personal data from a government given to a marketing analytics company? What purpose does it serve? The number one rule of data protection is to not have the data,” said Chris Morales, head of security analytics at Vectra. “Especially when it is private data a government has shared with a third-party private company. That in itself is a bit scary.”
Morales said the “exposure of this data isn’t much different than what was leaked by Equifax, showing that we haven’t learned from previous breaches, as this information was all in a searchable online database that anyone can use.”
Calling the data breach “one for the record books,” Bitglass CTO Anurag Kahol said “the exposed data puts everyone that was affected at risk for future attacks such as identify theft – a long-term effect, especially for the children.”
While Torsten George, cybersecurity evangelist at Centrify, noted “privileged credentials have become the target of cyberattackers” so “no organization can afford to simply leave the door open for unfettered access to critical systems and sensitive, potentially-profitable data,” a recent Centrify study found “that 86 percent of organizations are using or planning to use cloud infrastructure, yet only 51 percent are including cloud and other transformation technologies in their Privileged Access Management (PAM) strategies.”
A Photon Research Team report that examined 2.3 billion files exposed across online file storage technologies revealed “750 million more files exposed this year than the year prior,” said Harrison Van Riper, strategy and research analyst at Digital Shadows.
“These exposures are largely due to unintended settings in the technologies themselves when they were originally implemented, so it’s important to monitor where your organization’s critical assets are located,” he said. “Moreover, threat actors are becoming more and more attune to the opportunities for data theft resulting from these oversights. In this case, the citizens of Ecuador are fortunate that there is no evidence of attackers attempting to exploit this exposure, yet.”
Organizations should carefully consider the volume and types of data they store. Javvad Malik, security awareness advocate at KnowBe4.com, encouraged governments and companies creating large databases to “ask whether such a large collection is necessary, legal, whether or not they have the ability to secure it adequately, and what the impact of any breach would be.”