Elasticsearch Data Leak Affects Children, People of Ecuador

Cybersecurity researchers from vpnMentor found a leak in the Elasticsearch server two weeks ago. The compromised database contained personal information of millions of Ecuador’s citizens. A local company by the name Novaestrat is blamed for the leak.

ZD Net states that data breach is one of the biggest leaks in the history of Ecuador. Ecuador is a small country located in South America. It has a population of approximately 16.6 million people.

Following the discovery of the server, researchers Noam Rotem and Ran Locar from vpnMentor reached out to ZD Net for an exclusive interview. Both channels worked closely to analyze the data provided and to verify the evidence obtained from the database.

Compromised information totaled 20.8 million records, exceeding the number of individuals in the country. Records show duplicates and older entries, including those who are already deceased. Most of these records were spread out in different databases coming from different sources, reports ZD Net.

Information affected by the breach includes names of individuals as well as family members or trees. Apart from these, financial and work data, civil registration, and car ownership info were also found on the servers. According to ZD Net and the researchers, the servers could be divided into governmental sources and non-government sources.

Among the information obtained by the team, the most data retrieved came from the civil registry under the Ecuadorian government. These include full names, dates of birth, places of birth, phone numbers, home addresses, and work and salary information. The government registry also showed the person’s national ID numbers or cedulas, the level of education, and marital status.

Indexes found on the database categorized as ‘familia’ reportedly revealed complete family information. These are comprised of info on both children and parents, as well as most people’s family trees.

Researchers were alarmed to find that 6.77 million of these entries were below the age of 18. Some registered names belonging to infants and babies born only in the spring of 2019. The entries leaked the names, national ID numbers, gender, home addresses, and corresponding places of birth.

Meanwhile, evidence from non-government or private sources came from two entities. The first of these is the Banco del Instituto Ecuatoriano de Seguridad Social (BIESS). The second is the Asociacion de Empresas Automatrices del Ecuador (AEADE).

Evidence retrieved from the BIESS showed financial data of Ecuadorian customers and citizens, including account status and balance. Credit card information and employment details were also found in the database.

On the other hand, the AEADE contained car ownership details, including names, vehicle models, and license plates.

Novaestrat secured the breach a week after ZD Net and vpnMentor reached out on numerous platforms.