Ecuador where personal information including IDs and taxpayer numbers of almost all citizens leaked, details of data leakage are like this


by dfespi

The vpnMentor research team, which provides tools for web privacy and VPN, reported a massive information leak of over 20 million people. According to vpnMentor, the leaked information, including Ecuadorian taxpayer identification numbers and national identification numbers, could cause long-term privacy problems. vpnMentor details the spill on their blog.

Report: Ecuadorian Breach Reveals Sensitive Personal Data
https://www.vpnmentor.com/blog/report-ecuador-leak/

Noam Rotem and Ran Locar, who lead the research team, discovered that the server of the Ecuadorian company `` Novaestrat '' exists unprotected in Miami, Florida, USA, personal information of more than 20 million people leaked Announced that it was. Novaestrat is a consultancy that provides data analysis, strategic marketing and software development.

According to the World Bank , the population of Ecuador as of 2017 was about 16.6 million, and the Ecuadorian Attorney General's office includes information on the deceased in addition to the surviving Ecuadorian population It states that there is a possibility. In addition, it is not known at the time of article creation how many people are actually affected by this data breach.

◆ What information was leaked?
The database contained 18GB of personal information such as:

・ Name (including last name, middle name, and lower name)
·sex
·Birthday
·Birthplace
·Home Address
·mail address
・ Home, work, and mobile phone numbers
·marital status
・ Marriage date (if applicable)
・ Date of death (if applicable)
・ Education level

An example of the registered contents with the above information is as follows. “Cédula” refers to a 10-digit national identification number.



The database also contained information sourced from various institutions such as government registries, car companies Aeade, and National Bank Biess. The data linked to the Biess account looks like the following.

・ Account status
・ Account balance
・ Loan amount
・ Credit type
・ Location and contact information of the bank branch nearest to the owner

This is the type of data with account information. 'Index-biess' 'type-biess' is written at the beginning, and information such as 'estado (status)' 'topo_credito (credit type)' 'biess_correo (Biess email address)' is fully understood.



In addition, the data includes the full names of the mother, father, and spouse. It is also written “cedula” here, so you can know not only the person but also the national identification number of the family.



In addition, the following employment information was also included.

・ Employer's name
・ Location of employer
・ Taxpayer identification number of employer
·job title
・ Salary information
・ Start date of work
・ End date of work

In addition, detailed information such as “vehicle number”, “manufacturing”, “model”, “purchase date” regarding the owner of Aeade's car is linked through the taxpayer identification number. In addition to personal information, the database may contain company details including sensitive information.

◆ What are the dangers?
Because the leaked data includes email addresses and phone numbers, it can be the first target of fraud, spam, and phishing attacks. In addition, since personal information including family relationships has become open, so-called wire fraud tricks can become more sophisticated. It is believed that the highest risk is that the national identification number and taxpayer identification number were leaked, and that a malicious attacker could obtain the information necessary to access the bank account. That.

Although the database is closed at the time of article creation, the information once leaked cannot be restored, and there is a possibility that the information has already passed to the hands of a malicious person. In order to prevent data leakage like this time, vpnMentor said that it is important to adopt methods such as “Keep the server secure”, “Implement appropriate access rules”, and “Authentication required for access to all systems” I called.

Julian Assange , known as journalist and founder of WikiLeaks , fled to the Ecuadorian embassy in June 2012 and spent seven years at the embassy before being arrested by the British police on April 11, 2019 it was done. The name of Assange is also confirmed in this database.



As soon as the media began reporting after the vpnMentor investigation report, the Ecuadorian government began investigating.

IT Firm Manager Arrested in the Biggest Data Breach Case of Ecuador's History
https://thehackernews.com/2019/09/ecuador-data-breach.html

Arrest made in Ecuador's massive data breach | ZDNet
https://www.zdnet.com/article/arrest-made-in-ecuadors-massive-data-breach/

And at the press conference on Monday, September 16, 2019, representatives from the Ministry of Communications and Information Society in Ecuador seemed to have no data at Novaestrat's headquarters and disseminated personal information without authority. Explain that investigations are underway for allegedly infringing on privacy. He also mentioned that there is no fact that Novaestrat hacked the Ecuadorian government server. Novaestrat has been undertaking government work during the previous administration and is believed to have accessed the data at that time.

A few hours after the conference, the federal police headed home to William Roberto Garces, general manager, who serves as Novaestrat's office. According to the tweet of Ecuador's interior minister Maria Paula Lomo, computers, memory, documents, etc. were seized from Garces' home, and Garces himself was also detained.



Garses, who was taken to Quito in the capital for interrogation, may be charged with criminal charges in the future.

In response to this incident, the Ecuadorian government stated that it would impose sanctions against private companies that infringed on privacy and disclosed personal information without authority. It also points out that new data privacy laws that have been discussed over the past eight months will be enacted in the near future.

in Security, Posted by logq_fa