The breach, which was uncovered by Noam Roten and Ran Locar, leaked around 20.8 million records in 18 gigabytes of data of Ecuadorians’ personal information. The breach occurred through an unsecured server located in Miami, Florida, according to a recent blog post by vpnMentor. The server appears to be owned by Ecuadorian consulting company Novaestrat.
The entire population of Ecuador is about 16.6 million. Some of the data entries may thus be duplicates or “involve individuals who are already deceased,” according to the blog post.
“The majority of the affected individuals seem to be located in Ecuador. Although the exact details remain unclear, the leaked database appears to contain information obtained from outside sources. These sources may include Ecuadorian government registries, an automotive association called Aeade, and Biess, an Ecuadorian national bank,” the vpnMentor blog post reads.
Individuals in the database were identified by their “cedula,” which refers to an Ecuadorian’s 10-digit national identification number. Other examples of leaked personal information included the “RUC,” which is a person’s taxpayer identification number, according to the report, as well as full name, gender, date of birth, place of birth, home address, email address, home, work and cell phone numbers, marital status, date of marriage, date of death and level of education.
The entries also included information about people’s family members, such as the full names of a person’s mother, father and spouse, as well as each one of their “cedulas.”
Some of the entries even included financial information related to bank accounts with Biess, the Ecuadorian national bank. Examples of such entries included account status, current account balance, amount financed and credit type, as well as “location and contact information for the person’s local Biess branch,” according to the blog post. Other parts of the database disclosed detailed employment information such as an employer’s name, employer location, employer tax identification number, job title, salary details and even job start and end dates.
The leaked records also included an entry for Assange, which contained a “cedula” value associated with him. Assange was granted political asylum by Ecuador in 2012. He stayed in the country’s embassy in London until April 2019, when Ecuador ended his asylum, claiming he violated its terms.
VpnMentor closed the breach on September 11. However, the firm warned that once data is “exposed,” it “can’t be undone.”
“The database is now closed, but the information may already be in the hands of malicious parties. This kind of data breach could have been prevented with some basic security measures. No matter what the size of your company is, you should always use the following security practices: Secure your servers, implement appropriate access rules, require authentication to access all systems,” vpnMentor counseled.