Fraud Management & Cybercrime , Fraud Risk Management , Governance & Risk Management
Investigation Launched After Ecuadorian Records Exposed
Researchers: Unsecured Elasticsearch Database Included Bank Details, Personal InformationAn unsecured database owned by an Ecuadorian consulting company left over 20 million records on the South American country's citizens exposed to the internet, according to a report from two independent security researchers, who published their findings on the vpnMentor blog.
See Also: The State of OT Security: A Comprehensive Guide to Trends, Risks, and Cyber Resilience
On Monday, Ecuador's Ministry of Telecommunications and the Information Society announced an investigation of consulting firm Novaestrat, which collected the data in a cloud-based database. And the state attorney general's office confirmed that officials confiscated computer equipment and records from the home of Novaestrat executive William Roberto G. A local news outlet reported that the executive was retained by police.
Meanwhile, the Ministry of Telecommunications is expediting a new privacy law requested by Ecuador's president.
Ecuador’s population is about 16 million, which means that some of the exposed records are duplicates or contain information about people who have died, according to the researcher's blog post. The Elasticsearch database contained about 18 GB of data.
The exposed database, which belongs to Novaestrat, a consulting company that provides data analytics and marketing services, contained a wealth of personal information, including full names, home addresses, dates of birth, email addresses, gender identity, 10-digit national identification numbers - the equivalent of a Social Security number in the U.S. - as well as financial information related to bank accounts, according to Noam Rotem and Ran Locar, self-described security researchers and hacktivists.
The database included over 6 million entries with personal details and data on those under the age of 18, according to ZDNet, which first reported on the existence of the database and verified some of the details the researchers uncovered.
Unsecured Data
The two researchers who discovered the unsecured database with Equadorian information are working on a large-scale web mapping project, using port scanning techniques to look at various known IP blocks and addresses. During this project, they have found weaknesses and data leaks in numerous files and systems that are stored in the cloud and exposed to the internet (see: Fieldwork Software Database Exposed Customer Data: Report).
While Novaestrant is based in Ecuador, the database was hosted in Florida, the researchers note.
And while the consulting firm secured the database on Sept. 11, it’s not clear how Novaestrat originally obtained all these records, according to the two security researchers. In its statement, Ministry of Telecommunications officials noted that some of the data may have been given to the company through contracts with the previous administration in Ecuador.
"It is presumed that these databases have been fed through the possible commission of a crime by the company Novaestrat SA with the alleged collaboration of former public officials of the previous regime who had access to this information and through access to this information in the execution of contracts in the years 2015-2017," according to the ministry's statement.
Some of the data came from third-party sources, including Ecuadorian government registries, an automotive association called Aeade, and Biess, an Ecuadorian national bank, according to the researchers’ blog post.
A representative of Novaestrat could not be reached for comment, and the company's website was not accessible as of Tuesday.
The financial data from Biess included account status, current balance in the account, amount financed, credit type, location and contact information for the person's local Biess branch, the researchers say.
It's not clear, however, if anyone actually accessed the data that the two researchers found or how long it was exposed. Rotem and Locar are warning that this type of personally identifiable information could be used for numerous types of attacks and hacking, including phone and spam scams, phishing emails and identity theft.
"This data breach is particularly serious simply because of how much information was revealed about each individual," the two researchers write. "Scammers could use this information to establish trust and trick individuals into exposing more information."
Julian Assange Affected
During their investigation, the two researchers found one particular entry of interest: WikiLeaks founder Julian Assange.
In 2012, Assange was granted asylum by the Ecuadorian government and lived for several years within the government's London embassy as his case made its way through the U.K. court system. In April, Ecuador withdrew its agreement and Assange was arrested by British authorities (see: WikiLeaks' Julian Assange Arrested; US Seeks Extradition).
During his period of asylum, it appears that a government database recorded his name and Ecuador assigned him a national identification number as his case made its way through the U.K. legal system, the researchers note. It's not clear when his data was transferred to the Novaestrat database, they add.
Poor Configurations
Over the past several months, vpnMentor researchers have discovered a number of unsecured and exposed databases and servers belonging to corporations as well as governments.
Cybersecurity experts warn that businesses and governments are not properly securing their cloud-based databases and services, such as those provided by Amazon Web Services, which can leave large amounts of data exposed in violation of government regulations concerning privacy and data storage.
"We know that poorly configured servers in AWS are something many administrators struggle with understanding, including how to properly limit access to the data they store there. This is not even about company size or maturity," Chris Morales, head of security analytics at security firm Vectra, tells Information Security Media Group.
"The ability to detect and respond to unauthorized or malicious access to platform or infrastructure cloud services can make the difference between a contained security incident and a full-blown breach of the magnitude that these Ecuadorian citizens are now facing."
Enterprises need to learn important lessons from past data exposure incidents, such as those that affected Equifax and Capital One, and work with cloud service providers to ensure data security, Morales advises.
"Elasticsearch databases in AWS are known to be publicly accessible, and as this is a common setup, it’s important that organizations work with their partners to ensure their data is secure," he says.
(Managing Editor Scott Ferguson contributed to this report.)