Massive Novaestrat data leak effects over 20 million in Ecuador

A report by ZDNet, with help from vpnMentor’s Noam Rotem and Ran Locar, have uncovered what’s likely the largest data leak in the history of Ecuador. This leak contains roughly 20.8 million user records. Ecuador has a population of 16.6 million so it’s safe to say this leak has impacted a vast majority of the Ecuadorian population. The number of user records is larger than the number of Ecuadorians because it includes records of those that have passed away. ZDNet confirmed the presence of Ecuador’s President’s as well as Julian Assange’s records in the leak. The leak came from a company called Novaestrat by way of a mis-configured Elastisearch server.

Ecuador suffers data leak effecting millions

The leaked data even contained the government’s intimate knowledge of each Ecuadorian citizen. The databases included full names, birthdates, addresses, marital statuses, employer information, education levels, phone numbers, as well as the Ecuadorian national ID number – known as a cedula. Besides these personal records, the leak even revealed some peoples’ financial records and information regarding their car registration – and their family trees. What’s more, some 6.8 million children had their records leaked, as well. In fact, the researchers showed that previous years’ data in the exposed databases perfectly matched up with Ecuador’s historically reported amount of births – which demonstrates the overall accuracy and completeness of these records.

The mis-configured server was using Elastisearch – and the way the information was indexed suggests that the data had different origins. The researchers thought that the various goldmines of data had been compiled by the Ecuadorian government from private databases – but it turned out that the government’s information was just another input in this large leak. Their largest database contributed was likely compiled by the Ecuadorian Civil Registry. From the index labels, the researchers were also able to pinpoint some of the private sources from which the databases were created. Namely, the Banco del Instituto Ecuatoriano de Seguridad Social (Ecuadorian Social Security Institutional Bank) and the Asociación de Empresas Automotrices del Ecuador (Ecuadorian Association of Automotive Businesses) – which totaled up to 7 million financial records and 2.5 million car registration records.

The researchers were unable to get in contact with the company via Facebook, the company’s forum, and Linkedin after discovering that the company listed no phone number or email address for contact. Thankfully, the database is now secured, but only after an unnecessarily lengthy disclosure process which involved having to call in the Ecuador Computer Emergency Response Team (CERT) to contact Novaestrat as an intermediary. This isn’t the first time that a mis-configured database has leaked millions of personal records, and it’s unlikely to be the last. For millions of Ecuadorians, and billions around the world, this is a stark reminder of the need for privacy in the Internet age.