Experts Comments: Personal Records Of Most Of Ecuador’s Population Leaked

It has been reported that the personal records of most of Ecuador’s population, including children, has been left exposed online due to a misconfigured database.

The database, an Elasticsearch searver, was discovered two weeks ago and contained a total of approximately 20.8 million user records, a number larger than the country’s total population count. The bigger number comes from duplicate records or older entries, containing the data of deceased persons.

 


EXPERTS COMMENTS
Matan Or-El, Co-Founder and CEO,  Panorays
September 18, 2019
Regulations like GDPR and CCPA have already recognized these dangers and thus prohibit the selling of children’s personal data without consent.
We’ve seen numerous reports about exposed servers, but this recent incident involving the leak of data from Ecuador pertaining to children is particularly frightening. In the wrong hands, this information could pose a risk to children, leading to identity theft and even kidnapping. Regulations like GDPR and CCPA have already recognized these dangers and thus prohibit the selling of children’s personal data without consent. This latest data exposure in Ecuador should serve as a wake-up call as to why such measures are so necessary. This event also underscores the very real need for organizations to be vigilant about how their data is stored and to be continuously monitored so as to avoid such disastrous incidents in the future.
Chris Morales, Head of Security Analytics,  Vectra
September 18, 2019
Especially when it is private data a government has shared with a third-party private company. That in itself is a bit scary.
This is yet another example of how poorly configured AWS S3 buckets could lead to an extensive number of individuals personal data being exposed, which leaves them at a significant risk of identity fraud and social engineering. We know that poorly configured servers in AWS is something many administrators struggle with understanding, including how to properly limit access to the data they store there. This is not even about company size or maturity. Whilst cloud computing’s instant provisioning and scale are valuable benefits, cloud administrators must know what they’re doing and ensure appropriate access controls are in place to protect their data. As no system or person is ever perfect, the ability to detect and respond to unauthorised or malicious access to Platform or Infrastructure cloud services can make the difference between a contained security incident and a full-blown breach of the magnitude that these Ecuadorian citizens are now facing. The bigger question I have is why is that level of personal data from a government given to a marketing analytics company? What purpose does it serve? The number one rule of data protection is to not have the data. Especially when it is private data a government has shared with a third-party private company. That in itself is a bit scary. Furthermore, the exposure of this data isn’t much different than what was leaked by Equifax, showing that we haven’t learnt from previous breaches as this information was all in a searchable online database that anyone can use. Elasticsearch databases in AWS are known to be publicly accessible, and as this is a common setup so it’s important that organisations work with their partners to ensure their data is secure.
Kevin Gosschalk, CEO,  Arkose Labs
September 17, 2019
Often times, the identity abuse only stops when the victim realizes and reports the abuse.
In a digital first economy that we are living in, identity is the true currency. This is because the digital economy is built on data and businesses trying to harness the insights from the vast amount of information they have in order to make real-time decisions across their customer touch points. As the digital commerce has grown, so has fraud, especially on the backs of the high profile breaches that have made personal data available in the dark web. Each breached identity represents a real person behind it who has now been made vulnerable to fraudsters across the globe as they try to monetize the credentials. Often times, the identity abuse only stops when the victim realizes and reports the abuse. This is what makes this particular breach especially nefarious, as many of the victims are children who are not actively tracking or monitoring their digital footprint and identity usage. This gives the fraudsters ample time to farm the identities for mass scale payout, in turn tarnishing the digital footprint of these children even before they enter the digital commerce world. As long as there is money to be made in the world of cybercrime, fraudsters will continue to find a way to breach credentials and subsequently monetize them. It is crucial now more than ever, to take an approach that is rooted in long term eradication of the business of fraud by breaking down the economic incentive.
David Higgins, EMEA Technical Director,  CyberArk
September 17, 2019
Public cloud providers provide straightforward guidance on their shared responsibility models for security and compliance in cloud environments.
Ecuador is not alone in moving citizen data or critical applications into the cloud, but if government organisations or private companies are going to go down this route, they need to understand that the cloud provider will only secure what they are putting into the cloud up to a point. Public cloud providers provide straightforward guidance on their shared responsibility models for security and compliance in cloud environments. However, many organisations ignore this; recent data from CyberArk’s annual Global Advanced Threat Landscape report found that around half of global organisations don’t have a strategy in place for securing privileged data and assets in the cloud. This represents an open door for anyone that might wish to access them.
Tarik Saleh, Senior Security Engineer and Malware Researcher,  DomainTools
September 17, 2019
This data is a treasure trove for attackers and scammers.
The type of data leaked here is the most severe you can have when a breach occurs: full name, date of birth, home address, email address, home, work and cell numbers. Even employment information. In addition to your personal data, if you banked at the national Ecuadorian bank Biess your financial data was also exposed. Financial information like your account status, current balance, credit type and more.What’s even more concerning, is that data on individuals family members are all exposed as well. This data is a treasure trove for attackers and scammers. This information can now be used to initiate extremely sophisticated phishing attacks, or provide answers to “Challenge/Response” questions for authentication purposes and continued spam attacks. Even lower level scam artists can leverage exposed phone numbers for carding or other serious cons.When these types of breaches occur, there are strategies around freezing your credit, but a lot of the exposed data isn’t “rotatable”. For instance, if your credit card information gets stolen, you can get a new one with a new number on it. You can’t do that with your social security or other national identification numbers.
Stuart Reed, VP ,  Nominet
September 17, 2019
The fact that there are duplicate entries and details for those that have deceased within the dataset.
The huge breach of Ecuador citizen data not only raises questions around how secure government systems and their supply chains are, but demonstrates how important this is to national trust. With personal details, including national identity numbers, compromised through an unsecured server owned by a consulting and analytics firm, this underlines the importance of security diligence in the supply chain. The fact that there are duplicate entries and details for those that have deceased within the dataset, also raises the issue about the quality of data held and processes for acquiring and storing it. With such sensitive information it is even more important that suppliers share security values. From understanding how people are trained, processes in place – such as password management – to the technological infrastructure; for example using the network to identify malicious actors and data theft. All need to be considered as part of selection and contracting process.
Stephan Chenette , Co-Founder and CTO,  AttackIQ
September 17, 2019
The exposed database holds a wealth of financial information such as account status, account balance, credit type, and work information.
It’s inexcusable for organizations to expose sensitive databases with no security controls. What’s more, it’s imperative for those that do wrap databases with security controls to continuously validate their security controls and the third parties they work with to ensure their protection capabilities are effective. Just last month we witnessed a data breach of 700K due to a database being left exposed for four days. While it is currently unknown if the Elasticsearch server has led to a breach in this incident in Ecuador, over 20.8 million records are at risk, including children under the age of 18. The exposed database holds a wealth of financial information such as account status, account balance, credit type, and work information. Organizations must proactively test and evaluate their security posture to find unsecured databases and other vulnerabilities to ensure data is secure.
Alexander García-Tobar, CEO and Co-founder,  Valimail
September 17, 2019
This shocking leak exposes the impacted people, including children, to identity theft and countless other physical and cyber threats.
The data leaked includes Ecuadorian citizens’ full name, date of birth, marital status, home address, financial information and family trees. Additionally, the work information of millions of employees was exposed, including their full name, email address, work phone number, employer name and location, salary information, employer tax identification number and more. This shocking leak exposes the impacted people, including children, to identity theft and countless other physical and cyber threats. Of highest concern is the physical dangers this exposed information could lead to - from burglaries and home invasions to kidnappings. Often when we hear of data leaks, people tend to only think of the cyber implications, but in this incident, the physical risks are very real, and very serious. Among other repercussions, this kind of data is more than enough for cybercriminals to orchestrate sophisticated Business Email Compromise (BEC) scams, in which a cybercriminal impersonates the identity of a trusted business partner or coworker in order to launch convincing spear phishing attacks targeting companies for monetary gain. To thwart these types of email attacks, organizations need to be on defense at all times by enforcing industry standards and best practices like DMARC, while implementing advanced anti-phishing solutions that validate senders’ identities.
Chris DeRamus , Co-founder & CTO,  DivvyCloud
September 17, 2019
Misconfigurations are frightfully common, but there are simple and highly effective ways to prevent them.
The misconfiguration of an Elasticsearch server left 20.8 million user records exposed – more than the entire population of Ecuador which is about 16.6 million. We’ve seen numerous times how a misconfiguration can expose nearly every customer of a company, but this might be the first instance in which the people of an entire country were put at risk. Misconfigurations are frightfully common, but there are simple and highly effective ways to prevent them. All organizations, everywhere in the world, should deploy automated cloud security solutions that can ensure databases are configured correctly from the beginning, so there is never a risk of misconfiguration. Even as environments change (which is quite often, especially when dealing with the cloud), these solutions provide continuous monitoring and will alert the appropriate personnel in the event of a change that could lead to a security risk, or even trigger automated remediation in real-time. This way, Elasticsearch databases and other assets never have the opportunity to be exposed, even temporarily.
Felix Rosbach, Product Manager,  comforte AG
September 16, 2019
Sadly, with the recent wave of ElasticSearch and other Open Source breaches, it seems as though security is being viewed as an afterthought.
We all know that data is the new gold. The monetization of valuable up-to-date data is relatively easy. Some of the companies that offer analytics services don’t care about privacy and data protection – or it’s not their prio 1. This time, unfortunately, innocent children are among the victims. And it’s not only identity theft that can be a consequence. Connecting financial information and family imformation can lead to gangs targeting and kidnaping children of rich families. Some organizations storing and processing sensitive data might think that specific databases aren’t that valuable. But what happens if attackers get access to multiple databases and are able to connect them? Sadly, with the recent wave of ElasticSearch and other Open Source breaches, it seems as though security is being viewed as an afterthought. Just because a product is freely available and highly scalable doesn’t mean you can skip the basic security recommendations and configurations. It is clear that those that choose to use cloud-based databases must not only perform necessary due diligence to configure and secure every corner of the system properly. Beyond ensuring that products and services are correctly deployed and maintained, organizations must also secure their cloud-based data by adopting a data-centric security model that protects the data at rest, in motion, and in use – even if a properly configured system is compromised.
Hugo van den Toorn, Manager, Offensive Security,  Outpost24
September 16, 2019
As datasets grow to this size, the data is becoming increasingly valuable to businesses and in some cases even more valuable than money.
This is a typical example of a misconfigured system. It should have never been possible for anyone on the Internet, especially without authentication, to access the data stored in the database. Even Elastic themselves quote on one of their recent blogs on securing Elastiscsearch: “It’s especially dangerous if the cluster is connected directly to the Internet where anyone can connect without using a password. With the countless possibilities of ‘quickly deploying a system in the cloud’, security is -still- often overlooked by organisations. As datasets grow to this size, the data is becoming increasingly valuable to businesses and in some cases even more valuable than money. Unfortunately not everyone protects it like the valuable asset it is.
Tim Dunton, MD,  Nimbus Hosting
September 16, 2019
This serious incident should act as a reminder to all national governments about the extreme importance of securing all sensitive data.
A data breach of this scale will have profound consequences for the 17 million Ecuadorean citizens whom have been affected, and is a prime example of the repercussions of an unsecure and outdated information database. Information of this scale will be extremely valuable to cyber criminals, and there is seemingly nothing Ecuador’s government can do right now to redeem this situation. This serious incident should act as a reminder to all national governments about the extreme importance of securing all sensitive data on a secure, up to date, IT system which only allows limited and controlled access at all times.
Todd Peterson, IAM evangelist,  One Identity
September 16, 2019
Server misconfigurations are on the news every week, and in some cases lead to massive data leaks.
This case further illustrates how organisations of all kinds are still getting security wrong because generally, security is a hassle to their business. No one likes entering user IDs and passwords and even fewer like entering the second factor of authentication that should be used by all organisations. Server misconfigurations are on the news every week, and in some cases lead to massive data leaks, such as the one suffered by the Ecuadorian civil registry. However, there are options to make the first and second factor of authentication less obtrusive so that users are more prone to do the right thing. Practices such as adapting the requirement based on risk, delegating permissions to prevent sharing of superuser credentials, and implementing multifactor authentication in a manner that is user friendly (such as via an app on the user’s phone) all improve security and minimise disruption.
Tim Erlin, VP of Product Management and Strategy ,  Tripwire
September 16, 2019
Organizations need to evaluate their own threat model to determine where to focus their security budget.
The highest profile data breaches in the last couple of years have been from misconfigured cloud storage. These are not generally targeted attacks, but opportunistic, and exposing data doesn’t necessarily mean that it was compromised. Regardless of whether data was compromised or not, however, the type of data that was left exposed is particularly sensitive and makes this leak an example of why it is so crucial to set the foundations of security right. Organizations need to evaluate their own threat model to determine where to focus their security budget. Not every organization is the same, and you can’t apply a single threat model to all of them. In order to secure data stored in the cloud, you need to configure your cloud storage correctly, and you need to be able to detect when that configuration changes in a way that deviates from your established policy.
Javvad Malik, Security Awareness Advocate,  KnowBe4
September 16, 2019
Companies and governments in particular should always secure their databases to ensure they are not publicly available.
The Ecuador breach is another in a very long list of cloud-based databases leaking information to anyone with an internet connection. But this is particularly significant due to the number of records and the sensitivity of the data. Most troubling perhaps being the data of children being stolen which can be used by criminals to setup fake identities, or take out loans against which the victims won't realize until further in life when they realize their credit is ruined. Companies and governments in particular should always secure their databases to ensure they are not publicly available. In addition, when dealing with third parties which may access, process, or store the data, they should undertake rigorous due diligence to verify the third party also adheres to good security controls. Finally, and perhaps most importantly - before creating such large databases, governments and companies should ask whether such a large collection is necessary, legal, whether or not they have the ability to secure it adequately, and what the impact of any breach would be.

Join the Conversation

Join the Conversation


In this article