Anatomy of a Breach

Anatomy of a Breach: Ecuador — 20.8 Million Citizens Exposed, Including the Dead

> series: anatomy_of_a_breach —— part: 129 —— target: ecuador_population —— records: 20,800,000 —— authentication: none —— includes: deceased_citizens<span class="cursor-blink">_</span>_

Hedgehog Security 30 September 2019 12 min read
data-breach ecuador 20-million elasticsearch entire-population no-authentication government-data series
Breach #129

20.8 million records. More than the living population. On an unsecured Elasticsearch server.

In September 2019, researchers at vpnMentor discovered an unsecured Elasticsearch database containing the personal records of approximately 20.8 million Ecuadorians — exceeding Ecuador's living population of approximately 17 million because the database also included records of deceased citizens. The database, operated by Ecuadorian data analytics firm Novaestrat, contained 18GB of data including full names, dates of birth, places of birth, home addresses, national ID (cédula) numbers, tax identification numbers, employment information, employer names, job titles, salary details, marital status, family member relationships, and — for some records — financial account information from Banco del Instituto Ecuatoriano de Seguridad Social.

The Elasticsearch server required no authentication whatsoever — anyone who discovered the server's IP address could access the complete dataset. The exposure echoed the MongoDB ransomware wave of 2017 and the Moonpig API (2015): critical databases deployed without any access controls. The Ecuadorian government arrested the Novaestrat executive responsible and introduced emergency data protection legislation.

Population-Scale Exposure
Recommended

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call

An entire nation's data — including the dead — with no password.

Entire Population Exposed
Like the <a href="/blog/anatomy-of-a-breach-philippines-comelec">Philippines COMELEC breach</a> (55M voters, 2016) and the <a href="/blog/anatomy-of-a-breach-opm">US OPM breach</a> (21.5M, 2015), the Ecuador exposure affected an entire national population. When population-scale data is exposed, the consequences extend beyond individual identity theft to national security, economic stability, and social trust.
No Authentication — Again
The Elasticsearch server had no authentication. This is the same class of misconfiguration that enabled the <a href="/blog/anatomy-of-a-breach-mongodb-ransomware">MongoDB attacks</a> (2017) and that our <a href="/penetration-testing/infrastructure">infrastructure testing</a> and <a href="/penetration-testing/cloud-configuration-review">cloud configuration reviews</a> check for on every engagement. <a href="/cyber-essentials">Cyber Essentials</a> mandates authentication on all systems.
Third-Party Data Aggregator
Novaestrat was a private analytics firm that had aggregated government data — creating a single point of failure for the entire population's records. The concentration of data in third-party aggregators creates systemic risk. Our <a href="/blog/sector-under-the-microscope-professional-services">supply chain analysis</a> examines third-party data concentration risk.
Records of the Deceased
The database included records of deceased citizens — demonstrating that the data had been compiled from historical government records without any data minimisation or retention controls. Under GDPR, data must be retained only as long as necessary for its purpose. <a href="/cyber-essentials">Cyber Essentials</a> and GDPR compliance both require data minimisation.
Lessons

Authentication is not optional. Data minimisation is not optional. Ever.

The Ecuador breach demonstrated two fundamental principles: first, every database must require authentication — there is no scenario where an internet-accessible database should accept anonymous connections. Second, data aggregation without security creates population-scale risk. Cyber Essentials mandates authentication on all systems. Our infrastructure testing identifies exposed databases. Cloud configuration reviews assess Elasticsearch, MongoDB, and other database exposure. SOC in a Box monitors for unauthorised database access. And UK Cyber Defence provides incident response when exposed databases are discovered.

Database Security

Ecuador's entire population exposed through an unsecured database. Are your databases authenticated?

Our <a href="/penetration-testing/infrastructure">infrastructure testing</a> finds exposed databases. <a href="/penetration-testing/cloud-configuration-review">Cloud reviews</a> check Elasticsearch and MongoDB. <a href="/cyber-essentials">Cyber Essentials</a> mandates authentication.

Commission an Infrastructure Test Next: NordVPN
Next Step

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call
Keep Reading

Related Articles

Anatomy of a Breach 31 January 2020

Anatomy of a Breach: Microsoft — 250 Million Customer Service Records Exposed via Misconfigured Elasticsearch

Breach #133. In January 2020, security researcher Bob Diachenko discovered five Elasticsearch servers belonging to Microsoft that were exposed to the internet without authentication, containing approximately 250 million customer service and support records spanning 14 years. The records included email addresses, IP addresses, support case details, and internal notes marked as 'confidential.' Microsoft confirmed the misconfiguration and secured the servers within 24 hours. The breach demonstrated that even the world's largest technology company is not immune to the database misconfiguration vulnerabilities documented throughout this series.

microsoft elasticsearch
12 min read
Anatomy of a Breach 31 January 2015

Anatomy of a Breach: Moonpig — The API That Let Anyone Access Any Customer's Account

Breach #073. In January 2015, security researcher Paul Price publicly disclosed that Moonpig — the UK's largest personalised greeting card website — had an API that required no authentication whatsoever. Any user could access any other customer's account information — including names, addresses, phone numbers, dates of birth, and the last four digits of payment cards — simply by changing the customer ID number in API requests. Price had responsibly disclosed the vulnerability to Moonpig 17 months earlier. Moonpig had done nothing.

data-breach moonpig
12 min read
Anatomy of a Breach 28 February 2014

Anatomy of a Breach: Korea Credit Bureau — 20 Million Records Stolen by a Temporary Consultant

Breach #062. In January 2014, South Korean authorities arrested a temporary IT consultant at the Korea Credit Bureau who had stolen the personal and financial data of approximately 20 million South Koreans — about 40% of the country's population — from the databases of three major credit card companies (KB Kookmin, Lotte, and NH Nonghyup). The consultant had simply copied the data to a USB drive over a period of months while working on a system upgrade. The breach triggered a national crisis, mass card cancellations, and the resignation of credit card company executives.

data-breach korea-credit-bureau
12 min read
All Posts Get in Touch