On September 16, ZDNet in collaboration with vpnMentor published an article showing that 20.8 million user records including almost the complete population of Ecuador was publicly exposed in a database that anyone on the internet could access. In the following days, more information has been made public, investigations have started, discussions have been had - but some questions are not being answered, and the governmental response seems mostly focused on looking strong, while not necessarily taking effective action.

In this article, we would like to analyze this leak of data, understand what it means, the impact it can have, what kind of actions could have been taken to avoid it, and what should be done moving forward. We will always discuss the Ecuadorean data protection law that is currently being intensely discussed.

The information in this article is based only on publicly available information about the leak, combined with our long technical experience in the fields of security and privacy.

The goal of this article is not to attack any person or entity, but try to bring clarity into this event from a technical perspective. This clarity is necessary for us as a society to handle these kinds of incidents better in the future. Before we can discuss solutions, we have to clearly understand what happened.

Timeline

Based on current information, this is what the timeline of pertinent events looks like:

  • Sometime after December, 2017 - the information in the database was created or updated.1
  • Sometime before April 1, 2019 - the database was made publicly available.2
  • Sometime before September 7, 2019 - vpnMentor finds the problem and tries to contact Novaestrat about the publicly available data.3
  • September 7, 2019 - vpnMentor contacts EcuCERT and makes them aware of the problem.4
  • September 11, 2019 - the government of Ecuador is officially made aware of the problem, following protocol.
  • Some time after September 15, 2019 - the database was made private or taken down.
  • September 16, 2019 - the initial article on ZDnet was published, making the leak publicly known.
  • September 16, 2019 - officers of Novaestrat are raided and detained for questioning by the prosecutor general.
  • September 17, 2019 - officers of Novaestrat are released.

As is clear, there are several things about this timeline that are worrisome. Most importantly, the fact that the database was available since April. It's also problematic that it took at least 8 days from the initial report to the Ecuador government until the server was shut down. With this kind of vulnurability and data, every day is important.

It is unclear when the breach was actually closed. According to vpnMentors blog post, the problem was closed on September 11, 2019. However, according to the Shodan data, the ElasticSearch port was still open to the public as late as September 15, 2019. These conflicting data points makes it hard to know which perspective is correct and when the breach was actually closed.

The data

What makes this leak fairly unique is the amount of data leaked, combined with the proportion of the population being covered by this leak. We still don't know exactly what information the leak contains, since vpnMentor has mentioned that they haven't made public every kind of data point that could be found in the database.

The database contained roughly 20.8 million user records. These include some duplicated entries, old entries and entries for deceased individuals. It also contains information from 2019, which implies that the data has been continuously updated. 6.77 million entries are for children under the age of 18.

For all entries, this data includes the individuals name, cedula (the Ecuadorean ID number), place of birth, home address, gender and family information. It also contains email addresses, phone numbers, marriage information and level of education. For people with employment, it contains information about the employer, job title, salary information, and when the employment started and ended. It's implied that this information is historical as well as current.

For about 7 million people, it also includes bank information from BIESS, the Ecuadorean government social security bank. This includes the account status, current balance, financed amount, credit type and information about what branch the individual is using.

There are also 2.5 million entries about cars and car owners, including information such as license plate number, make, model, date of purchase, registration information and other technical information. It also contains the taxpayer number linked to the car, so that each car can be linked with its owner.

There is also information about companies, including their tax registration number (RUC), contact information, address and legal representative.

vpnMentor has stated that the database contains more information than the above. However, they have not divulged this kind of information because it is sensitive. This is extremely strange. They have not even talked about the _kind_ of information this is. That is something that they could reveal without revealing any specific instances of that information. The fact that they are not willing to reveal the kind of information that exists implies that the very existance of this information is extremely sensitive. Purely speculatively, this could involve information related to some kind of open criminal investigation or maybe some extreme type of governmental invasive measure.

Impact

A leak of this magnitude, with this kind of data, is extremely serious. Looking at the current scan of the NovaEstrat server in question, it's clear that this company has not put a lot of resources into securing their infrastructure. Since the data in question could have been available since at least April 1st, 2019, it is highly likely that the whole data dump has been available for sale on underground criminal networks for a significant amount of time. We have to assume that all the data is out there. This also makes the decision to not specify exactly what kinds of data that has been leaked suspect, since attackers will have this data - but the Ecuadorean population doesn't actually know what the attackers have.

What are the risks here? Someone with this kind of data can do many types of things. Many corporations could use this kind of data to do analysis of potential sales targets. This information is also very similar to the kind that ad networks collect in order to personalize advertisements. The information can be used for widespread phone and email phishing campaigns, trying to convince people to click on links or put in their passwords into hostile web sites. It can also be used to actively try to crack passwords, or reset passwords on web sites that allow you to do password resets using personal information.

More overt criminal activity such as different kinds of fraud are to be expected on a massive scale. This information can potentially be used to get access to the bank accounts of individuals, or other types of private information. It's not impossible that it can be used to fraudelently apply for credit cards and then massively overdraw these.

The initial article also mentioned the possibility of using this information for targeting. By identifying people with high incomes, this data also gives address and phone information, making it easy to target them for robbery, theft or kidnappings.

A leak of this magnitude, with this kind of breadth of data covering such a large population, will without a doubt lead to widespread criminal enterprises. It is likely that the cost to the Ecuadorean population will be in the range of billions of dollars over the next few years because of this leak.

Where did the data come from?

When it comes to this kind of leak, the first question is where the data came from. This company, Novaestrat, is a private company that apparently works to provide analytics services to the Ecuadorean market. It's unclear exactly what that means, and who their clients are.

The data itself seems to come from several different sources, including the Ecuadorean civil registry, the BIESS (the Ecuadorean government social security bank), AEADE (an assocation that seems to track car ownership), the secretariat of higher education, SRI (the IRS), and the national transit agency. It is possible there are more sources for the information, and it's possible that these are not the original source the data came from.

What is clear is that most of this data does not belong in the hands of a private entity. A lot of it is highly sensitive, and putting it together paints an extremely detailed picture of the whole Ecuadorean population.

Some sources claim that the information was sold by these puplic entities to Novaestrat, and that there are contracts that show these purchases. Whether it is actually possible for a public government entity to sell access to private databases like these is so far quite unclear. Several reports do claim that no computer intrusions are the source for the data. In that case, that would leave either legal sales of the data, or some kind of corruption.

Several government reports have claimed that this sale of data can be attributed to the previous government. However, the current government has been in place since 2017, and since the latest data is from 2019, it's unclear how the previous government could be blamed for this situation.

What could have been done?

A few days ago, we published an article about how organizations can avoid massive leaks in general. The recommendations and advice in this article would be appropriate for an entity to such as Novaestrat to take to heart. It is clear from public scans of the IP address in question that IT security is not the highest concern of this employer.

It seems clear that Novaestrat should not have had this data in the first place. Whatever entity that sells data has a responsibility that the data goes to a place where it will be properly taken care of. Assuming that the sale of all this data was in fact legally and correctly done, the seller should still have imposed conditions on how the data was secured and managed.

If Novaestrat did not have legal access to this data, it opens the questions of how the transfers actually happened. The institutions that are responsible for managing these original data bases need to do a thorough review of their policies and practicies in order to make sure that this kind of leak of data does not happen again. It is likely that separate legal investigations and processes against each one of the sources of data need to be started in order to find out how the data was actually leaked in the first place.

Since this was a very serious issues, and every day counts in this kind of situation, it seems like a problem that it took several days before the Ecuadorean government reacted to the problem. The discussions around this issue seems to imply that the reason they delayed was because they couldn't verify who the people reporting the vulnurability were. But when it comes to protecting the Ecuadorean population, the first step should be to see if the vulnurability is real. Who reports the problem is not relevant when it comes to this first step. So delaying several days for this reason seems irresponsible, and these protocols should be revised.

What should be done?

When an incident like this happens, protecting the people involved should be priority number one. After that, investigations and possible assignment of guilt can happen. For the Ecuadorean people, the first thing to do would be to set up a service that would allow individuals to see if they were affected by the leak, and what kind of information about them was leaked. Once that's done, procedures to protect the population should be put in place.

The problem with this kind of leak is that most of the data in it is not something you can change. Ideally, every person in Ecuador should change their legal names, the names of their parents and children, their cedula, work place, salary, car, bank account information and much more. Obviously that is not in any way realistic. So that means that the kind of attacks we discussed above will be continue to be possible for many years.

There are some ways of mitigating these risks. Individuals can be more careful when they receive emails and phone calls. Institutions should revise their internal procedures for how they authenticate clients. The Ecuadorean government should institute an insurance policy for everyone impacted by this breach, that will help when someone is subjected to identity theft, fraud or other kinds of attack.

But, the sad reality is, it is hard or even impossible to guard against most of the coming attacks. The cat is out of the bag.

In terms of investigation, the first goal should be to understand _how_ this happened, so that these problems can be avoided in the future. This implies starting investigations in the places where we can find the most helpful information. But not with the goal of assigning guilt. Investigating Novaestrat is certainly one important part, but it's also important to investigate organizations that Novaestrat had business relationships with, and also the public entities where this information came from. Without these investigations it will be hard to see how to stop it from happening again.

Data protection law

Immediately after this leak was made public, the government announced that they are working on a data protection law and that they are close to presenting this to parliament. They have apparently been working on this for the last 8 months.

While having strong data protection laws are extremely important, and it would be good for Ecuador to make progress on this issue, pushing through legislation the same week as a large leak has been announced is not the right time to do it. Legislation lasts for a long time, and it has many repercussions to society. When an incident happens, the instinct is for politicians to want to appear strong and use it as a moment to push their own agenda. But this does not help the population.

If Ecuador really wants to have the legal tools necessary to stop these kinds of problems in the future, it's important that everyone take their time to work on this legislation. It should not be rushed through. There needs to be debate where civil society, private businesses and the population is involved. Data protection is a hugely complex subject, and getting it right is not trivial. So even though the urge to push it through right now is very strong, our recommendation is to take the time to evaluate it with cool heads. The future of the country will be better off by doing it right.

A related issue is the current move of the government to unify all public data under one governmental service, CNT. While this in theory can lead to stronger security, if the organization in question knows how to manage the data correctly, that is not at all the only possibility. In some cases it doesn't make a difference, and sometimes having all the data in the same place, leads to one big target, instead of many smaller ones.

Conclusions

When a leak of this magnitude happens, it's sometimes hard to wrap your head around all the angles. It's easy to leap to conclusions and miss aspects of the story. But that means we might not have the information we need to form informed and proper decisions based on an event like this.

In this post we have tried to summarize the aspects of this case, what the implications are and what some of the lessons for the future are. This is an important subject, and we need to continue the discussions. But we need to do that with all the information at hand.

Addendum

On Tuesday, September 24 - after this article was written, but before it was published - Ran Locar and Noam R from vpnMentor announced that the same data had been found in the hands of another organization. This organization was selling subscriptions to the data, and it had been updated as recently as August 2019. During the day, several other mentions of websites where the same or similar data could be found were published. It is unclear if all of these refer to the same collection of data, or whether it's more than one organization outside of Novaestrat that has access to the information.

The team from vpnMentor further added that the organization in question was breached in January 2019. They are clear that we need to assume that all the data in these collections are out there.

Based on these news, we can deduce that more than one organization was sold or given access to this data in some way - and that this access continued until at least August 2019. We also know that the data is in the hand of criminal organizations or groups. This means that the data is out there, it will be used and it's too late to put the cat back in the bag. The current goal has to be mitigation, helping citizens and finally stopping the further flow of data.

References

  1. We know this because the database contains information about Julian Assange, and his citizenship was registered around December 2017. According to the article, the database contains information from 2019 as well, so it's likely updates continued after December 2017.
  2. This can be deduced by using Shodan's history function through the Developer API. Looking up 207.246.114.186 tells us that the first time Shodan registered the port 9200 (which is the ElasticSearch port), was on April 1st, 2019. This doesn't mean the port couldn't have been open before, just that this was the first time Shodan saw it.
  3. The original article (on September 16), claims the server was discovered two weeks earlier, sometime around September 2. Later reporting claims the server was discovered on September 6. The article also mentions that they tried to contact Novaestrat. Other articles mention that vpnMentor only contacted EcuCERT after failing to contact Novaestrat. vpnMentor claim that they were doing "ethical scanning" of the internet, something that is not unusual or suspect. Indeed, many security firms do the same kind of work regularly.
  4. As can be read in the El Comercio interview with Arcotel (link in references).