Sensitive data of almost every citizen of Ecuador leaked

17 Sep 2019

Plaza in Quito, capital of Ecuador. Image: © f11photo/

A breach of a server linked to data analytics company Novaestrat may impact millions of people in Ecuador.

A team of researchers at cybersecurity company VPN Mentor has discovered a large data breach on an unsecured server located in Miami, Florida. The server has been linked to Ecuadorian data analytics firm Novaestrat.

The data breach, which may impact more than 20m individuals, involves a large swathe of sensitive and personally identifiable information, primarily affecting people in Ecuador, which has a population of 16.6m.

VPN Mentor discovered the exposed server as part of a large-scale web-mapping project led by security experts working for the firm. The team scans ports to find known IP blocks and then searches for vulnerabilities in the system that would indicated an open database.

Once the data was discovered, the team passed the information on to the affected party. It reports that the breach was closed on 11 September.

Personal information

The breach involved around 18GB of data. Of the 20m people possibly affected, some may be already deceased, the report notes. Each individual was identified by a 10-digit identification number, which serves a similar function in the country to a social security number in the US or a PPS in Ireland.

The server contained information such as dates and places of birth, full names, email addresses, home, work and cell numbers, education level and more.

When searching to validate the database, the team also discovered specific financial information relating to Ecuadorian bank accounts such as account status, current account balance and credit type.

Though the origin of the information is unclear, the research team speculates that the data was pulled from places such as Ecuadorian government registry, an automotive association called Aeade and an Ecuadorian bank, Biess.

Phishing scams and fraud

VPN Mentor warns that the type of information available leaves those affected vulnerable to phishing attacks, identity theft and financial fraud due to the highly sensitive nature of the data.

“A malicious party with access to the leaked data could possibly gather enough information to gain access to bank accounts and more,” the report states.

Eva Short was a journalist at Silicon Republic