[BreachExchange] Database leaks data on most of Ecuador's citizens, including 6.7 million children

Destry Winant destry at riskbasedsecurity.com
Tue Sep 17 10:13:29 EDT 2019 

https://www.zdnet.com/article/database-leaks-data-on-most-of-ecuadors-citizens-including-6-7-million-children/

The personal records of most of Ecuador's population, including
children, has been left exposed online due to a misconfigured
database, ZDNet has learned.

The database, an Elasticsearch server, was discovered two weeks ago by
vpnMentor security researchers Noam Rotem and Ran Locar, who shared
their findings exclusively with ZDNet. Together, we worked to analyze
the leaking data, verify its authenticity, and contact the server
owner.

The leaky server is one of the, if not the biggest, data breaches in
Ecuador's history, a small South American country with a population of
16.6 million citizens.

20.8 MILLION USER RECORDS

The Elasticsearch server contained a total of approximately 20.8
million user records, a number larger than the country's total
population count. The bigger number comes from duplicate records or
older entries, containing the data of deceased persons.

The data was spread across different Elasticsearch indexes. These
indexes contained different information, supposedly obtained from
different sources. They stored details such as names, information on
family members/trees, civil registration data, financial and work
information, but also data on car ownership.

Based on the names of these indexes, the entire database could be
split in two main categories, based on the data's supposed origin.
There's data that appears to have been gathered from a government
sources, and data that appears to have been gathered from private
databases.

THE DATA FROM GOVERNMENT SOURCES

The most extensive data was the one that appears to have been gathered
from the Ecuadorian government's civil registry.

This data contained entries holding citizens' full names, dates of
birth, places of birth, home addresses, marital status, cedulas
(national ID numbers), work/job information, phone numbers, and
education levels.

ZDNet verified the authenticity of this data by contacting some users
listed in the database. The database was up to date, containing
information as recent as 2019.

We were able to find records for the country's president, and even
Julian Assange, who once received political asylum from the small
South Americam country, and was issued a national ID number (cedula).

FAMILY AND KIDS DATA

But we only truly understood the extent of this data when we looked at
an index named "familia" (family in Spanish), which contained
information about every citizen's family members, such as children and
parents, allowing anyone to reconstruct family trees for the entire
country's population.

However, things didn't stop here. When looking at this index we also
realized that there were entries for children, some of whom were born
as recent as this spring.

For example, we found 6.77 million entries for children under the age
of 18. These entries contained names, cedulas, places of birth, home
addresses, and gender.
The table below shows the number of children records we found in the
leaky database. With the exception of the past few years, the rest of
the database entries are in tune with public reporting on the
country's natality rate.

The leak of childrens' data is without a doubt the biggest privacy
concern about this incident. This leak not only exposes children to
potential identity theft, but also puts them in physical danger
because their home addresses have been left exposed online for anyone
to find.

THE DATA FROM PRIVATE SOURCES

But this wasn't all what the database contained. While initially we
thought vpnMentor security researchers stumbled upon a database
belonging to the Ecuadorian government, this didn't turn out to be
true.

At a closer look, the database also contained indexes labeled with the
acronyms of private entities, suggesting they were either imported or
scraped from those particular sources. Of note, two indexes were named
BIESS and AEADE.

The first, BIESS, stands for Banco del Instituto Ecuatoriano de
Seguridad Social, and contained financial information for some
Ecuadorian citizens, such as account status, account balance, credit
type, and information about the account owner, including job details.

The second, AEADE, stands for AsociaciĆ³n de Empresas Automotrices del
Ecuador, and contained information on car owners, and their resective
cars, including car models and car license plates.

In total, we found 7 million financial records, and 2.5 million
records containing car and car owner details.

Just like the Elasticsearch index holding the data of children, these
two indexes are also extremely sensitive. The information in both
indexes would be as valuable as gold in the hands of criminal gangs.

Crooks would be able to target the country's most wealthy citizens
(based on ther financial records) and steal expensive cars (having
access to car owners' home addresses and license plate numbers).

Connect the about children and the data about financial records, and
criminals would have a list of the most wealthy Ecuadorians, their
home addresses, and if they had any children -- making it trivially
easy to target and kidnap children from rich families.

THE SOURCE OF THE DATA

When it came time to tracking down the source of this leak, both ZDNet
and vpnMentor independently reached the same source, namely a local
company named Novaestrat.

According to its website, the company provides analytics services for
the Ecuadorian market. Its website boldy displays the statement "Make
financial decisions with updated information of the entire Ecuadorian
Financial System" [translated].

However, getting in contact with the company was not as easy as it
sounded. The company did not display an email address or phone number
where it could be reached. ZDNet reached out to the company via
Facebook, and tried contacting employees via LinkedIn, to no success.
The company's support forum yielded a PHP error when we tried
registering an account.

The database was eventually secured later last week, but only after
vpnMentor reached out to the Ecuador CERT (Computer Emergency Response
Team) team, which served as an intermediary.

This is the second major leak of user data originating from a South
American country in as many months. In August, ZDNet reported about a
similar Elasticsearch server that exposed the voter records of 14.3
million Chileans, around 80% of the country's entire population.

More information about the BreachExchange mailing list