An Eslasticsearch database has been discovered and the data breach leaked sensitive and personally identifiable information from the majority of the population in Ecuador, a small South American nation, including information of children. The database contains compromising, yet interesting, data because it contained entries that detail the genealogy (or the family tree) of Ecuadorian citizens.
The database does not spare much of the population in Ecuador as it exposed the data of 16.6 million citizens in more than 20.8 million user records. The discrepancy in the number of entries and the country’s population is due to duplicate and old records.
vpnMentor cybersecurity researchers, Noam Rotem and Ran Locar, discovered the Elasticsearch indexes and was later validated by ZDNet‘s Catalin Cimpanu. The researchers said that the database contained personal information of most of the population in the South American countries. They said that the data in the leaked indexes appeared to be sourced from two different data pools: civil registry and private companies who keep a database of their customers, clients, and employees.
Data of asylum seeker, Julian Assange, found in the database
The bigger bulk of the information contained in the leaked database comes from government databases and civil registry, and it has effectively put out in the open the information of almost all Ecuadorian citizens. The information uncovered by the researchers ranges from citizens’ full names, dates of birth, places of birth, home addresses, marital status, cedulas (national ID numbers), work/job information, phone numbers, to education levels.
Since the database contained information for the likes of Julian Assange, it could be assumed that everyone who was given a cedula has their information contained in the leaked database. Assange is the man behind the infamous WikiLeaks and exposed a number of classified documents and information from the U.S. government. Assange sought asylum from Ecuador’s government to prevent prosecution in the United States.
Citizens’ genealogy can be traced from the data breach in Ecuador
One of the most alarming indexes found in the Elasticsearch database was an index named “familia (family),” which contained information of citizen’s family members, such as children and parents. The level of detail in the information in the database could allow anyone who has access to it to trace the family tree of every citizen in Ecuador, the researchers described.
Anyone could reconstruct anyone’s family tree using the database, especially that it contains 6.77 million entries for children under the age of 18. Some of these entries exposed data for newborns who were delivered in 2019, suggesting that the exposed database is an updated registry.
The researchers said that exposing the information of children online is “the biggest privacy concern” regarding the data breach in Ecuador. They warned that the breach is putting children in a vulnerable position where they can be targeted with identity theft, and their safety was put at risk since the database contains their detailed home addresses.
Data scraped from the private sector are in the database too
Aside from the information that was deduced to belong to a government database, the researchers were also able to discover other indexes that appeared to come from the private sector. The information was possibly scraped from private databases of companies whose acronyms are BIESS and AEADE, as indicated in the database index names.
BIESS stands for Banco del Instituto Ecuatoriano de Seguridad Social and is a bank which holds Ecuadorian citizen’s financial data like account status, account balance, credit type, and information about the account owner, including job details. AEADE, which stands for Asociación de Empresas Automotrices del Ecuador, contains information regarding car owners and their license plates. In total, there were 7 million financial records contained in the leaked database together with 2.5 million car records.
As of writing, the Ecuador government is yet to release an official statement regarding the data breach that leaked personal data of most of its population, including its president.