Data Leaks and Digital Espionage in Ecuador

Ecuador faces a severe digital crisis that reveals the darkest side of its politics and public management: constant data leaks and the alarming rise of digital espionage. While boasting advances in other areas, the Ecuadorian state allowed the privacy and security of its citizens to be treated with almost criminal negligence.
One of the most scandalous episodes was the massive data leak in 2019, when it was discovered that a server in Miami, controlled by the Ecuadorian company Novaestrat, contained 18 GB of sensitive information on up to 20 million people, almost the entire national population. This leak exposed full names, identification numbers, addresses, phone numbers, work and academic histories, and financial records, including data of deceased persons. Experts have described this leak as an avoidable IT disaster with basic security measures that left Ecuadorians vulnerable to identity theft, financial fraud, and more.
The state’s response to the public was unclear. It was said that the information was “protected and safeguarded” just after international media uncovered the magnitude of the disaster. Instead of taking clear responsibility and firmly sanctioning those responsible, internal investigations were chosen, many of which ended in judicial limbo and others even were archived, as happens with most similar cases in Ecuador. This impunity and lack of real measures to strengthen cybersecurity make the history repeat itself over and over, condemning the country to a vicious circle of digital vulnerability.
But the problem does not end at the surface of massive leaks: Ecuadorian legislation itself, with figures like the undercover digital agent and some regulations in the recently approved Intelligence Law, open the door to institutionalized digital espionage that has been used to monitor, threaten, and silence activists, journalists, social fighters, and any dissident voice. In a context where transparency and accountability are absent, the state exploits its power to carry out illegitimate social control maneuvers that attack basic freedoms, multiplying the damage of technical incapacity with legal and political abuses.
Regarding the legal protection of personal data, although the Organic Law on Personal Data Protection was approved in 2021 and the Superintendence of Personal Data Protection has recently issued resolutions to improve information management and security, these regulations are purely formal when they lack effective enforcement mechanisms and a judicial system that truly punishes violations.
Ecuador lives a double digital tragedy: the state’s incapacity or neglect to protect its population’s data and the abusive use of legal tools to carry out espionage that criminalizes dissent. The combination of these problems amplifies the sense of helplessness and fragility of citizens before a powerful and unpunished digital enemy.
Negligence and abuse turned into public policy have made Ecuador a dangerous laboratory of digital vulnerabilities and rights violations. If these dynamics are not broken, neither laws nor technologies will be able to repair the damage. Data protection and privacy must stop being empty words to become an unavoidable priority under the scrutiny of the people and with firm sanctions for those who violate them. Only then will it be possible to advance toward a truly secure and just digital society, where personal information and freedom are not at the mercy of arbitrariness or indifference.