It has been reported that the personal records of most of Ecuador’s population, including children, has been left exposed online due to a misconfigured database.
The database, an Elasticsearch searver, was discovered two weeks ago and contained a total of approximately 20.8 million user records, a number larger than the country’s total population count. The bigger number comes from duplicate records or older entries, containing the data of deceased persons.
We’ve seen numerous reports about exposed servers, but this recent incident involving the leak of data from Ecuador pertaining to children is particularly frightening. In the wrong hands, this information could pose a risk to children, leading to identity theft and even kidnapping. Regulations like GDPR and CCPA have already recognized these dangers and thus prohibit the selling of children’s personal data without consent. This latest data exposure in Ecuador should serve as a wake-up call as to why such measures are so necessary. This event also underscores the very real need for organizations to be vigilant about how their data is stored and to be continuously monitored so as to avoid such disastrous incidents in the future.
This is yet another example of how poorly configured AWS S3 buckets could lead to an extensive number of individuals personal data being exposed, which leaves them at a significant risk of identity fraud and social engineering. We know that poorly configured servers in AWS is something many administrators struggle with understanding, including how to properly limit access to the data they store there. This is not even about company size or maturity.
Whilst cloud computing’s instant provisioning and scale are valuable benefits, cloud administrators must know what they’re doing and ensure appropriate access controls are in place to protect their data. As no system or person is ever perfect, the ability to detect and respond to unauthorised or malicious access to Platform or Infrastructure cloud services can make the difference between a contained security incident and a full-blown breach of the magnitude that these Ecuadorian citizens are now facing.
The bigger question I have is why is that level of personal data from a government given to a marketing analytics company? What purpose does it serve? The number one rule of data protection is to not have the data. Especially when it is private data a government has shared with a third-party private company. That in itself is a bit scary.
Furthermore, the exposure of this data isn’t much different than what was leaked by Equifax, showing that we haven’t learnt from previous breaches as this information was all in a searchable online database that anyone can use.
Elasticsearch databases in AWS are known to be publicly accessible, and as this is a common setup so it’s important that organisations work with their partners to ensure their data is secure.
In a digital first economy that we are living in, identity is the true currency. This is because the digital economy is built on data and businesses trying to harness the insights from the vast amount of information they have in order to make real-time decisions across their customer touch points. As the digital commerce has grown, so has fraud, especially on the backs of the high profile breaches that have made personal data available in the dark web.
Each breached identity represents a real person behind it who has now been made vulnerable to fraudsters across the globe as they try to monetize the credentials. Often times, the identity abuse only stops when the victim realizes and reports the abuse. This is what makes this particular breach especially nefarious, as many of the victims are children who are not actively tracking or monitoring their digital footprint and identity usage. This gives the fraudsters ample time to farm the identities for mass scale payout, in turn tarnishing the digital footprint of these children even before they enter the digital commerce world.
As long as there is money to be made in the world of cybercrime, fraudsters will continue to find a way to breach credentials and subsequently monetize them. It is crucial now more than ever, to take an approach that is rooted in long term eradication of the business of fraud by breaking down the economic incentive.
Ecuador is not alone in moving citizen data or critical applications into the cloud, but if government organisations or private companies are going to go down this route, they need to understand that the cloud provider will only secure what they are putting into the cloud up to a point. Public cloud providers provide straightforward guidance on their shared responsibility models for security and compliance in cloud environments. However, many organisations ignore this; recent data from CyberArk’s annual Global Advanced Threat Landscape report found that around half of global organisations don’t have a strategy in place for securing privileged data and assets in the cloud. This represents an open door for anyone that might wish to access them.
The type of data leaked here is the most severe you can have when a breach occurs: full name, date of birth, home address, email address, home, work and cell numbers. Even employment information. In addition to your personal data, if you banked at the national Ecuadorian bank Biess your financial data was also exposed. Financial information like your account status, current balance, credit type and more.What’s even more concerning, is that data on individuals family members are all exposed as well.
This data is a treasure trove for attackers and scammers. This information can now be used to initiate extremely sophisticated phishing attacks, or provide answers to “Challenge/Response” questions for authentication purposes and continued spam attacks. Even lower level scam artists can leverage exposed phone numbers for carding or other serious cons.When these types of breaches occur, there are strategies around freezing your credit, but a lot of the exposed data isn’t “rotatable”. For instance, if your credit card information gets stolen, you can get a new one with a new number on it. You can’t do that with your social security or other national identification numbers.