Security company vpnMentor spotted the breach on a Miami-based Elasticsearch server owned by the Ecuadorian company Novaestrat. According to vpnMentor, the data appears to have come from multiple sources including Ecuadorian government registries, an Ecuadorian national bank and an automotive association. It includes everything from names, birth dates and contact information to national identification numbers, taxpayer identification numbers, driving records and bank account balances. It even includes detailed information about individuals' family members.
vpnMentor notified Ecuador's Computer Emergency Response Team, and the breach was closed on September 11th. Ecuador has reportedly detained the manager of Novaestrat, and the country's Minister of Telecommunications said this could be punished as a criminal offense.
As vpnMentor points out, this breach could have long lasting ramifications. If the data was obtained by bad actors, it could be used for scams, phishing attacks, identify theft and fraud. It could also impact Ecuadorian companies.
Ecuador isn't the only country to be hit by a breach like this. Earlier this year a Bulgarian tax agency may have leaked data on an estimated 5 million of the country's 7 million residents. And in the US, 32 million patient records were breached in just the first half of 2019. While the scope and level of detail in this data leak is disturbing, it's perhaps more unsettling how common breaches like this have become.