Unprotected Elasticsearch database exposes sensitive information of over 20 million Ecuador citizens

• The leaky database exposes the personal information of individuals and their family members, employment details, financial information, automotive records, and more.
• The exposed information appears to be obtained from third-party sources including Ecuadorian government registries, an automotive association called Aeade, and an Ecuadorian national bank named Biess.

What happened?

Security researchers from vpnMentor, Noam Rotem and Ran Locar uncovered an unprotected Elasticsearch database belonging to a consulting company named Novaestrat.

What is the impact?

The leaky database contained around 18 GB of data, impacting over 20 million individuals in Ecuador by exposing their sensitive personal information to the public.

• The exposed information appears to be obtained from third-party sources including Ecuadorian government registries, an automotive association called Aeade, and an Ecuadorian national bank named Biess.
• The leaked records also included an entry for WikiLeaks founder Julian Assange.

“This data breach is particularly serious simply because of how much information was revealed about each individual. Scammers could use this information to establish trust and trick individuals into exposing more information,” said the researchers.

Researchers who uncovered the leaky database contacted the owner of the database and promptly secured the database.

What information was exposed?

The leaky database exposes the personal information of individuals and their family members, employment details, financial information, automotive records, and more.

• The unsecured database has exposed the personal information of individuals such as their names, gender, dates of birth, place of birth, addresses, email addresses, phone numbers, marital status, date of marriage if married, date of death if deceased, and educational details.
• The database contained financial information related to accounts held with the Ecuadorian national bank Biess. The financial data includes account status, current balance in the account, amount financed, credit type, location, and contact information.
• The leaky database included information about the individual's family members such as the names of their mother, father, and spouse along with their “cedula” value, which may be a national identification number.
• The database exposed various automotive records including car’s license plate number, make, model, date of purchase, most recent date of registration, and other technical details about the model.
• Individuals’ detailed employment information including employer name, employer location, employer tax identification number, job title, salary information, job start date, and end date were also exposed.
• The unsecured database also revealed details related to various companies in Ecuador.

“The data breach could also have an impact on Ecuadorian companies. The leaked data included information about many companies’ employees, as well as details about some companies themselves. These companies may be at risk of business espionage and fraud,” researchers said in a blog.