[BreachExchange] Arrest made in Ecuador's massive data breach

Destry Winant destry at riskbasedsecurity.com
Thu Sep 19 10:11:50 EDT 2019


Ecuadorian authorities have arrested the executive of a data analytics
firm after his company left the personal records of most of Ecuador's
population exposed online on an internet server.

The arrest is part of an official investigation that Ecuadorian
officials got underway after ZDNet and vpnMentor published articles
yesterday, exposing the massive breach, the biggest in the country's

According to our reporting, a local data analytics company named
Novaestrat left an Elasticsearch server exposed online without a
password, allowing anyone to access its data.

The data stored on the server included personal information for 20.8
million Ecuadorians (including the details of 6.7 million children),
7.5 million financial and banking records, and 2.5 million car
ownership records.


The news that his staggering amount of information had leaked online
sent a shockwave through the small South American country, but the
Ecuadorian government reacted immediately.

In a press conference held on Monday, after news of the massive breach
broke, the Ministry of Telecommunications and Information Society
announced an investigation into Novaestrat, the source of the leak.

Officials said the company was not supposed to be in possession of the
data it had, and that the company and its managers had been put under
investigation on charges of violation of privacy and dissemination of
personal information without authorization.

Ministry officials said they were still looking into how the company
got hold of so much sensitive information; however, they said the
company did not hack or breach any of Ecuador's government servers.

Officials said they believed that Novaestrate might have gained access
to government data during the former political regime, between 2015
and 2017, when it was awarded several government contracts.


After the formal investigation's announcement, local law enforcement
forces moved in pretty quick. Hours later, federal police raided
Novaestrat's office, which also served as the home of Novaestrat
general manager William Roberto G..

Authorities seized computer equipment from the executive's home, and
took the Novaestrat executive under custody a few hours later, across
the country, in Ecuador's Esmeraldas region, according to a tweet from
MarĂ­a Paula Romo, Ecuador's Interior Minister.

The State Attorney General's Office later confirmed Romo's social media posts.


But the massive privacy breach also served as a wake-up call for the
local government. In the aftermath of the breach, Ecuador's president
asked government officials to expedite the process of passing a new
data privacy law.

In a statement on the Ministry of Telecommunications website,
Telecommunications Minister Andres Michelena Ayala confirmed that his
ministry would comply with the president's request, and submit a new
law to the parliament in the next three days.

Michelena said his office has been working on the new data privacy law
for the past eight months.

More information about the BreachExchange mailing list