Inside Ecuador’s massive data leak
Earlier this week, the publication ZDNet and trade publication vpnMentor revealed that Ecuador’s entire population — including former citizen Julian Assange — had highly personal data leaked because a government contractor did almost nothing to keep it secure.
After the report came out, Ecuador officials opened an investigation, arrested the head of the data company, called Novaestrat, and pledged to accelerate privacy legislation.
“This is a very delicate issue that is a major concern for the government,” Interior Minister Maria Paula Romo said in a press conference.
The data leaked was wide-ranging, from taxpayer IDs to data on family networks and home addresses. What’s unusual was how comprehensive it was, covering an entire country—evidence of the high stakes involved in cybersecurity. I spoke with one of the researchers behind the discovery, Israeli hacktivist Noam Rotem.
“They just left everything open, no firewalls, no passwords, no nothing,” Rotem told me over the phone. “Everyone with a browser could access it. You don’t need any special tools, nothing.”
He and his collaborator, Ran Locar, had simply been scanning the web for open databases — a passion project — when they stumbled upon the sensitive data. For them, it was just another discovery.
“It’s a hobby,” Rotem said. “It was, ‘Hah, another system!’ Seriously, it’s nothing special. Billions and billions of records are being exposed everywhere.”
But what set this database apart was that it included seemingly every citizen of Ecuador, around 20 million people.
“What made it special was that it covered 100 percent, even more, of the people in Ecuador,” Rotem said, pointing to the fact that even the recently deceased had entries.
Rotem’s team then contacted some of the people in the database to confirm the information was accurate — it was. Then he reached out to Ecuador’s cybersecurity agency.
“I reported it on the 7th [of September] and didn’t hear back from them until the 10th,” he said. Then, once the database has been secured, vpnMentor and ZDNet published the discovery.
For Rotem, the lesson from all this is simply that governments everywhere are far too reckless with citizens’ private information.
“It’s crazy to me that I need to take my car for a yearly test to make sure it’s running properly,” he said, “but anyone can hold the database for the population of an entire country without the need for any license.”
Indeed, questions have been raised about whether Novaestrat was properly vetted before being entrusted with so much data.