Ecuador citizens’ data breach holds lessons for enterprises
After a data breach of more than 20 million entries hit the country, it’s fairly likely that if you are one of Ecuador’s 16.6 million citizens, some data relating to you has just been disclosed.
While far from top-of-mind for most British residents, the potential impact of the now-patched breach rivals many far larger leaks because of the sheer variety of personally identifiable information it contains, such as government identification numbers, employment records, banking details and car ownership information.
Initially disclosed to US website ZDNet, the breach was exposed thanks to the work of vpnMentor researchers Noam Rotem and Ran Locar, who discovered a vulnerability on an unsecured AWS server that appeared to be owned by Novaestrat, an Ecuadorian data analytics and marketing consultancy.
People in the database can be identified by a 10-digit code referred to as “cedula” or “cedula_ruc” – corresponding to Ecuador’s 10-digit “cédula de identidad”, a national ID number similar to National Insurance in the UK, or Social Security in the US.
The researchers found these numbers were linked to information such as name, gender, date and place of birth, addresses, phone numbers, emails and marital status, among other things. Rotem and Locar were also able to uncover financial information on accounts held at Biess, Ecuador’s national bank, employment information, including tax and salary details, and car makes, models, and licence plates, all linked through the cédula codes.
“It’s not just the number of people affected in this leak that concerns me – it’s the extent of data tied to each individual,” said Oz Alashe, CEO of cyber-security analytics platform CybSafe. “Access to details in this database would open the floodgates for account takeover identity theft, SIM swapping, spear-phishing and a number of other attack vectors. With the exception of banking details, the data here represents a jackpot for cyber-criminals – the possibilities for malicious activity are pretty much endless.”
Long-lasting privacy issues
Although the breach has been closed since 11 September, vpnMentor said the result could be “long-lasting privacy issues” for virtually everybody in Ecuador, exposing them to a wide range of on- and offline security threats, including email scams and phishing attempts, identity theft, and financial fraud – and even car theft.
Beyond this, Rotem and Locar said the breach would have implications for those companies whose employees’ details were disclosed, putting them at risk of fraud or even industrial espionage by unscrupulous rivals.
They said that even though the data is already exposed and may already be in the hands of bad actors, it was still worth implementing more thorough cyber-security measures.
Chris Morales, head of security analytics at Vectra, said the breach raised questions over how and to what purpose Novaestrat had collected it.
“Why is that level of personal data from a government given to a marketing analytics company? What purpose does it serve? The number one rule of data protection is to not have the data – especially when it’s private data a government has shared with a third-party private company. That in itself is a bit scary,” he said.
“Furthermore, the exposure of this data isn’t much different than what was leaked by Equifax, showing that we haven’t learned from previous breaches, as this information was all in a searchable online database that anyone can use.”
Risk in the cloud
More widely, Morales highlighted the fact that the server vulnerability uncovered in this case, which was found in a misconfigured AWS S3 bucket, is a very common one.
“We know that poorly configured servers in AWS is something many administrators struggle with understanding, including how to properly limit access to the data they store there,” he said. “This is not even about company size or maturity.”
“Elasticsearch databases in AWS are known to be publicly accessible, and as this is a common setup, so it’s important that organisations work with their partners to ensure their data is secure.”
Morales said that while the ability to do instant provisioning and scale were valuable benefits to using the cloud, administrators needed to take time to understand why and how to put in place appropriate access controls to protect their data.
“As no system or person is ever perfect, the ability to detect and respond to unauthorised or malicious access to platform or infrastructure cloud services can make the difference between a contained security incident and a full-blown breach of the magnitude that these Ecuadorian citizens are now facing,” he said.
CybSafe’s Alasha added: “The moral of the story here is to keep a close eye on your cloud database instances and to make absolutely sure that public access is disabled. This looks like it was totally avoidable. Organisations have to be vigilant about where their sensitive data is stored.”
David Higgins, EMEA technical director at CyberArk, said Ecuador was clearly not alone in moving citizen data and critical applications into the cloud. However, he said, when going down this route, enterprises and government organisations alike need to be aware that their cloud providers will only provide security up to a point.
“Public cloud providers provide straightforward guidance on their shared responsibility models for security and compliance in cloud environments,” he said. “However, many organisations ignore this – around half of global organisations don’t have a strategy in place for securing privileged data and assets in the cloud. This represents an open door for anyone that might wish to access them.”
Ed Williams, TrustWave’s SpiderLabs EMEA director, said he continued to see businesses bypassing critical security controls and foregoing the kind of due diligence they would normally enact with data housed on-premises, thanks to their enthusiasm for going all-in on the cloud.
“When transitioning to the cloud, we would recommend appropriate steps to ensure data is held securely and follows best practice recommendations – in this instance, ensuring that cloud buckets have appropriate permissions applied to them,” said Williams.
“Additionally, regular scanning and monitoring to quickly pinpoint misconfigurations or potential malicious activity along with vulnerability management to ensure new patches are quickly adopted are also encouraged.”
Lack of awareness
Ezat Dayeh, SE manager for the UK and Ireland at Cohesity, lamented that some very simple messaging around cyber-security messages is apparently not getting through.
“This lack of awareness is what causes situations like the one in Ecuador, and organisations who use increasingly sprawling and complex infrastructure will continue to be caught out if they’re not adequately assessing that infrastructure,” he said.
“Scanning systems, including backup data, for exposures, permissions and configurations issues and other vulnerabilities must form a key pillar of any organisation’s data protection strategy.
“When it comes to data management and processing in big government, there is work to be done. The reality between what should be done and what is happening is significant,” concluded Dayeh.
CybSafe is next-generation security awareness software.
CybSafe is an intelligent online platform that makes it easier to measure and improve security behaviours and attitudes across your organisation. It delivers extensive insight through powerful data analytics and metrics, enabling you to better measure and report on the impact your security awareness, behaviour and culture programmes are having on your people.