Ecuador Investigates Data Breach of Up to 20 Million People
Ecuador has begun an investigation into a sprawling data breach in which the personal data of up to 20 million people, more than the country’s population, was made available online.
The inquiry began after vpnMentor, an internet security firm, alerted the authorities to the enormous security failure, which included the exposure of the data of adults and children, both dead and alive. Ecuador has a population of over 16 million people.
A statement from the attorney general on Monday did not indicate whether anyone had gained access to the data while it had been vulnerable.
Ecuadorean officials said in a statement on Tuesday that they had detained a man identified as William Roberto G., whom they described as the legal representative of Novaestrat, a small online data consulting firm in the city of Esmeraldas, and taken him for questioning in the capital, Quito.
The attorney general’s office said the company, which was founded by former top telecommunication officials, was suspected of being responsible for the information breach.
“This is a very delicate issue that is a major concern for the government,” Ecuador’s interior minister, Maria Paula Romo, said in a news conference Tuesday. She declined to provide further details, citing a continuing inquiry.
The New York Times was not immediately able to locate Novaestrat’s lawyers or contact the company.
The news has jolted the small South American nation, underlining the risks of rapid digitalization of personal data pursued by its government. This year, Ecuadorean authorities admitted to using Chinese facial recognition technology to reduce crime.
Some expressed indignation that a provincial firm founded two years ago with capital of just $3,000 had access to sensitive and extensive government databases. The country’s privacy advocates have for years warned of the risks posed by the lack of a data protection law in the country.
“I feel naked and abused because these people have my information without my authorization,” said Ivan Muela Flor, a software programmer with IBM in Quito. “The people don’t realize just how grave this is.”
President LenÃn Moreno of Ecuador on Monday promised to fast-track a data protection law.
Names, social security numbers and contact information were among the elements contained in the exposed files, according to a report published on Monday by vpnMentor. One of the most worrying aspects of the episode, the report said, was that the data included information about people’s family members.
Other sections of the database contained employment information, including job titles and salaries, and bank details, such as account numbers and current balances.
The data appeared to come from Ecuadorean government registries, an automobile association and a state-owned bank, according to vpnMentor. It was discovered on an unsecured server in Miami. The breach was closed on Sept. 11, the company’s report said.
Among the data, vpnMentor said, was an entry, including the national identification number, for Julian Assange, the founder of WikiLeaks, who lived in the Ecuadorean Embassy in London from 2012 until this year.
This is not the first major data security breach in the country. In 2016, hackers stole $12 million from Ecuador’s Banco del Austro by breaching its Swift payment system.
Both the scale and source of the current breach recalled the theft in July of the personal information of as many as five million Bulgarians, nearly the country’s entire adult population, from the national tax agency. That breach highlighted the vulnerability of data held by national institutions and the danger of hackers’ taking advantage of weak security.
A self-proclaimed hacker, who called Bulgaria’s cybersecurity “a parody,” claimed responsibility. The authorities arrested two workers and the owner of a cybersecurity firm, Tad Group, shortly after reports of the breach came out. The workers were charged with terrorism, while investigations into the owner’s possible involvement continued.
Post a Comment