Experts Comments: Personal Records Of Most Of Ecuador’s Population Leaked

It has been reported that the personal records of most of Ecuador’s population, including children, has been left exposed online due to a misconfigured database.

The database, an Elasticsearch searver, was discovered two weeks ago and contained a total of approximately 20.8 million user records, a number larger than the country’s total population count. The bigger number comes from duplicate records or older entries, containing the data of deceased persons.

 


EXPERTS COMMENTS
Matan Or-El, Co-Founder and CEO,  Panorays
September 18, 2019
Regulations like GDPR and CCPA have already recognized these dangers and thus prohibit the selling of children’s personal data without consent.
We’ve seen numerous reports about exposed servers, but this recent incident involving the leak of data from Ecuador pertaining to children is particularly frightening. In the wrong hands, this information could pose a risk to children, leading to identity theft and even kidnapping. Regulations like GDPR and CCPA have already recognized these dangers and thus prohibit the selling of children’s ....
[Read More >>]
Chris Morales, Head of Security Analytics,  Vectra
September 18, 2019
Especially when it is private data a government has shared with a third-party private company. That in itself is a bit scary.
This is yet another example of how poorly configured AWS S3 buckets could lead to an extensive number of individuals personal data being exposed, which leaves them at a significant risk of identity fraud and social engineering. We know that poorly configured servers in AWS is something many administrators struggle with understanding, including how to properly limit access to the data they store th ....
[Read More >>]
Kevin Gosschalk, CEO,  Arkose Labs
September 17, 2019
Often times, the identity abuse only stops when the victim realizes and reports the abuse.
In a digital first economy that we are living in, identity is the true currency. This is because the digital economy is built on data and businesses trying to harness the insights from the vast amount of information they have in order to make real-time decisions across their customer touch points. As the digital commerce has grown, so has fraud, especially on the backs of the high profile breaches ....
[Read More >>]
David Higgins, EMEA Technical Director,  CyberArk
September 17, 2019
Public cloud providers provide straightforward guidance on their shared responsibility models for security and compliance in cloud environments.
Ecuador is not alone in moving citizen data or critical applications into the cloud, but if government organisations or private companies are going to go down this route, they need to understand that the cloud provider will only secure what they are putting into the cloud up to a point. Public cloud providers provide straightforward guidance on their shared responsibility models for security and c ....
[Read More >>]
Tarik Saleh, Senior Security Engineer and Malware Researcher,  DomainTools
September 17, 2019
This data is a treasure trove for attackers and scammers.
The type of data leaked here is the most severe you can have when a breach occurs: full name, date of birth, home address, email address, home, work and cell numbers. Even employment information. In addition to your personal data, if you banked at the national Ecuadorian bank Biess your financial data was also exposed. Financial information like your account status, current balance, credit type an ....
[Read More >>]
Stuart Reed, VP ,  Nominet
September 17, 2019
The fact that there are duplicate entries and details for those that have deceased within the dataset.
The huge breach of Ecuador citizen data not only raises questions around how secure government systems and their supply chains are, but demonstrates how important this is to national trust. With personal details, including national identity numbers, compromised through an unsecured server owned by a consulting and analytics firm, this underlines the importance of security diligence in the supply c ....
[Read More >>]
Stephan Chenette , Co-Founder and CTO,  AttackIQ
September 17, 2019
The exposed database holds a wealth of financial information such as account status, account balance, credit type, and work information.
It’s inexcusable for organizations to expose sensitive databases with no security controls. What’s more, it’s imperative for those that do wrap databases with security controls to continuously validate their security controls and the third parties they work with to ensure their protection capabilities are effective. Just last month we witnessed a data breach of 700K due to a database being l ....
[Read More >>]
Alexander García-Tobar, CEO and Co-founder,  Valimail
September 17, 2019
This shocking leak exposes the impacted people, including children, to identity theft and countless other physical and cyber threats.
The data leaked includes Ecuadorian citizens’ full name, date of birth, marital status, home address, financial information and family trees. Additionally, the work information of millions of employees was exposed, including their full name, email address, work phone number, employer name and location, salary information, employer tax identification number and more. This shocking leak exposes ....
[Read More >>]
Chris DeRamus , VP of Technology Cloud Security Practice,  Rapid7
September 17, 2019
Misconfigurations are frightfully common, but there are simple and highly effective ways to prevent them.
The misconfiguration of an Elasticsearch server left 20.8 million user records exposed – more than the entire population of Ecuador which is about 16.6 million. We’ve seen numerous times how a misconfiguration can expose nearly every customer of a company, but this might be the first instance in which the people of an entire country were put at risk. Misconfigurations are frightfully common, ....
[Read More >>]
Felix Rosbach, Product Manager,  comforte AG
September 16, 2019
Sadly, with the recent wave of ElasticSearch and other Open Source breaches, it seems as though security is being viewed as an afterthought.
We all know that data is the new gold. The monetization of valuable up-to-date data is relatively easy. Some of the companies that offer analytics services don’t care about privacy and data protection – or it’s not their prio 1. This time, unfortunately, innocent children are among the victims. And it’s not only identity theft that can be a consequence. Connecting financial information and ....
[Read More >>]
Hugo van den Toorn, Manager, Offensive Security,  Outpost24
September 16, 2019
As datasets grow to this size, the data is becoming increasingly valuable to businesses and in some cases even more valuable than money.
This is a typical example of a misconfigured system. It should have never been possible for anyone on the Internet, especially without authentication, to access the data stored in the database. Even Elastic themselves quote on one of their recent blogs on securing Elastiscsearch: “It’s especially dangerous if the cluster is connected directly to the Internet where anyone can connect without us ....
[Read More >>]
Tim Dunton, MD,  Nimbus Hosting
September 16, 2019
This serious incident should act as a reminder to all national governments about the extreme importance of securing all sensitive data.
A data breach of this scale will have profound consequences for the 17 million Ecuadorean citizens whom have been affected, and is a prime example of the repercussions of an unsecure and outdated information database. Information of this scale will be extremely valuable to cyber criminals, and there is seemingly nothing Ecuador’s government can do right now to redeem this situation. This seriou ....
[Read More >>]
Todd Peterson, IAM evangelist,  One Identity
September 16, 2019
Server misconfigurations are on the news every week, and in some cases lead to massive data leaks.
This case further illustrates how organisations of all kinds are still getting security wrong because generally, security is a hassle to their business. No one likes entering user IDs and passwords and even fewer like entering the second factor of authentication that should be used by all organisations. Server misconfigurations are on the news every week, and in some cases lead to massive data lea ....
[Read More >>]
Tim Erlin, VP of Product Management and Strategy ,  Tripwire
September 16, 2019
Organizations need to evaluate their own threat model to determine where to focus their security budget.
The highest profile data breaches in the last couple of years have been from misconfigured cloud storage. These are not generally targeted attacks, but opportunistic, and exposing data doesn’t necessarily mean that it was compromised. Regardless of whether data was compromised or not, however, the type of data that was left exposed is particularly sensitive and makes this leak an example of why ....
[Read More >>]
Javvad Malik, Security Awareness Advocate,  KnowBe4
September 16, 2019
Companies and governments in particular should always secure their databases to ensure they are not publicly available.
The Ecuador breach is another in a very long list of cloud-based databases leaking information to anyone with an internet connection. But this is particularly significant due to the number of records and the sensitivity of the data. Most troubling perhaps being the data of children being stolen which can be used by criminals to setup fake identities, or take out loans against which the victims w ....
[Read More >>]

If you are an expert on this topic:

Submit Your Expert Comments


In this article