Ecuadorian police on Monday searched the home of an attorney for the consulting and analytics company Novaestrat, seizing storage devices, documents and electronic equipment after what appears to be the company’s unsecured database – located in Miami – was found spilling deep data on over 20 million Ecuadorians.
…as well as data for one Australian by the name of Julian Assange, who was granted political asylum by Ecuador in 2012, and squirreled away in the Ecuadorian embassy in London up until April 2019.
This is an unprecedented breach for the country. In fact, there were more people’s data in that database than there are people living in Ecuador. As of 2017, the country only had a population of about 16.62 million, as pointed out by the team of vpnMentor researchers – led by Noam Rotem and Ran Locar – who found the breach.
The personally identifying information (PII) of those few extra million people could have come from deceased people, according to Ecuador’s state attorney general’s office and according to the “death date” record the researchers found – among many, many other sensitive types of information – in the database. According to a post from the state AG’s office, the cache also contained the PII of about 7 million minors.
vpnMentor said in its report, released on Monday, that its research team discovered the breach as part of its large-scale web-mapping project. One assumes it’s the same project that recently led the team to a leaky database stuffed with Groupon emails that turned out to belong to crooks who were ripping off ticket sellers using fake email accounts and stolen payment card details.
The leaky Ecuadorian database contained about 18GB of data, mostly pertaining to people apparently located in Ecuador. vpnMentor said that it appears to contain information coming from sources that may include Ecuadorian government registries, an automotive association called Aeade, and an Ecuadorian national bank called Biess.
According to the country’s telecommunications ministry, it received a report on the breach from vpnMentor on 11 September, and the leak was closed on the same day.
On Monday, 16 September, Telecommunications Minister Andres Michelena said that a personal data protection bill that’s been in the works for months would be sent to the National Assembly within 72 hours.
(Note that in its press release about the new data privacy law, the government used two similar spellings to refer to the data analytics company in question: Novastratech SA, which appears to be a computer hardware seller, and Novaestrat, which appears to be the company now under investigation and whose site was down as of Tuesday morning.)
Leonardo Granda, Sophos’s manager of Sales Engineering in Latin America, explained to Naked Security that Ecuador is just one country in Latin America looking at data protection laws.
Latin America is going through a process of digital transformation that is very important but the region lacks mature data protection laws. Although this process is slow, countries like Colombia, Chile, Brazil and Mexico are all working on creating laws to protect their citizens from the loss of personal data. Brazil, for example, has created LGPD, similar to GDPR in Europe that is planned to be stil effective in 2020 with sanctions for all who do not follow it.
Taxpayer IDs, bank account numbers, and so much more
The records were full of what identity thieves consider pure gold. People in the database were identified with a 10-digit ID code – a code that was referred to in some places in the database as “cedula” and “cedula_ruc”. In Ecuador, the terms “cédula” or “cédula de identidad” refers to an individual’s national identification number, which is similar to the taxpayer ID, or Social Security Number (SSN), used in the US.
The term “RUC” refers to Ecuador’s taxpayer registry: Registro Unico de Contribuyentes. Thus, vpnMentor researchers suggest that the “cedula_ruc” value may refer to Ecuadorians’ taxpayer ID number.
Other sensitive information in the database:
- full name (first, middle, last)
- date of birth
- place of birth
- home address
- email address
- home, work, and cell phone numbers
- marital status
- date of marriage (if applicable)
- date of death (if applicable)
- level of education
The researchers also found bank details relating to the Ecuadorian national bank Biess (El Banco del Instituto Ecuatoriano de Seguridad Social), including:
- account status
- current account balance
- amount financed
- credit type
- location and contact information for the person’s local Biess branch
They found still more, including the full name of the individual’s mother, father, and spouse, and were able to view each family member’s “cedula” value – in other words, what may be their national ID number.
Another part of the database held these employment details:
- employer name
- employer location
- employer tax identification number
- job title
- salary information
- job start date
- job end date
And there’s more: vpnMentor also found automotive records that may be linked to individual car owners through their taxpayer identification number, including the car’s license plate number, make, model, date of purchase, most recent date of registration, and other technical details.
The database was also leaking some Ecuadorian businesses’ information, including their Ecuadorian taxpayer identification number (RUC), each company’s address and contact information, and contact details and identity of the companies’ legal representatives.
We don’t know if the researchers at vpnMentor were the first people to find this database, or if the crooks got there first. If they did, they could be using the information they found to conduct email and phone scams, to target people with spam, or organisations with business email compromise (BEC) fraud, to tailor convincing spearphishing attacks, or even to identify potential targets for theft, even kidnapping.
The information could be put together to make a profile that’s useful for all kinds of criminal activity. Granda gives this example:
The worrying thing is that if we cross reference this information, one could determine who is the person with the most money in Ecuador, where he lives, what car he has and even the data of their children.
What do do?
Individuals and businesses in Ecuador, or with interests in Ecuador, will have to remain vigilant for social engineering attempts and scams of all kinds.
For administrators charged with keeping data safe, this breach is another reminder (as if there haven’t been enough already) that databases need to be patched like any other software; that they shouldn’t be attached to the internet unless absolutely necessary; that databases should always have effective access controls that follow the principle of least privilege; that authentication should be multi-factor; and that sensitive data should be encrypted when at rest.
The encryption theme is a critical point in GDPR – it makes sensitive information unreadable to any attacker who tries to rob the data.