Security Experts:

Industry Reactions to Massive Ecuador Data Leak

Researchers at vpnMentor have discovered an unprotected database apparently storing information on nearly everyone in Ecuador, including children and deceased individuals.

The exposed Elasticsearch database was roughly 18 GB in size and it stored information on 20 million individuals — Ecuador has a population of approximately 16 million.

The exposed data included information such as name, date of birth, home address, email address, marital status, level of education, financial data, information on an individual’s family members, information on vehicles owned, employment information, and national identification number. The records of Julian Assange, the founder of WikiLeaks, who had political asylum from Ecuador for seven years, were also found in the database.

The data was stored on a server located in Miami, Florida, but it was owned by an Ecuadorian consulting firm called Novaestrat, which is now facing legal repercussions.

Industry professionals have commented on the incident and shared recommendations on how such leaks can be avoided.

And the feedback begins...

Chris Morales, head of security analytics, Vectra:

“While cloud computing’s instant provisioning and scale are valuable benefits, cloud administrators must know what they’re doing and ensure appropriate access controls are in place to protect their data. As no system or person is ever perfect, the ability to detect and respond to unauthorized or malicious access to Platform or Infrastructure cloud services can make the difference between a contained security incident and a full-blown breach of the magnitude that these Ecuadorian citizens are now facing.

 

The bigger question I have is why is that level of personal data from a government given to a marketing analytics company? What purpose does it serve? The number one rule of data protection is to not have the data. Especially when it is private data a government has shared with a third-party private company. That in itself is a bit scary.

 

Furthermore, the exposure of this data isn’t much different than what was leaked by Equifax, showing that we haven’t learnt from previous breaches as this information was all in a searchable online database that anyone can use.”

Harrison Van Riper, Strategy and Research Analyst, Digital Shadows:

“Exposed databases, such as Elasticsearch, are an increasingly frequent contributor to data leakage and breach events like what we learned about this morning in Ecuador. Misconfigurations that lead to these exposures are a continuing issue, but not one that is impossible to solve.

 

In Photon Research Team’s most recent report, Too Much Information: The Sequel, which examined 2.3 billion files exposed across online file storage technologies, we discovered 750 million more files exposed this year than the year prior. These exposures are largely due to unintended settings in the technologies themselves when they were originally implemented, so it’s important to monitor where your organization’s critical assets are located. Moreover, threat actors are becoming more and more attune to the opportunities for data theft resulting from these oversights. In this case, the citizens of Ecuador are fortunate that there is no evidence of attackers attempting to exploit this exposure, yet.

 

News of this breach and the vast amount of exposed data should be a sobering reminder to governments and organizations alike about the risks at stake when citizen data is involved.”

Alexander García-Tobar, CEO and co-founder, Valimail:

“This shocking leak exposes the impacted people, including children, to identity theft and countless other physical and cyber threats. Of highest concern is the physical dangers this exposed information could lead to - from burglaries and home invasions to kidnappings. Often when we hear of data leaks, people tend to only think of the cyber implications, but in this incident, the physical risks are very real, and very serious.

 

Among other repercussions, this kind of data is more than enough for cybercriminals to orchestrate sophisticated Business Email Compromise (BEC) scams, in which a cybercriminal impersonates the identity of a trusted business partner or coworker in order to launch convincing spear phishing attacks targeting companies for monetary gain. To thwart these types of email attacks, organizations need to be on defense at all times by enforcing industry standards and best practices like DMARC, while implementing advanced anti-phishing solutions that validate senders’ identities.”

Ed Williams, director EMEA, SpiderLabs, Trustwave:

“The fact that we continue to see large scale data breaches is of no surprise to me. We have seen an ever increasing rush to the cloud, in many aspects this rush is causing enterprises to bypass critical security controls and forego security due-diligence that we normally see when data is housed on site. This rush coupled with lax security practice is a perfect storm for catastrophic breaches.

 

When transitioning to the cloud, we would recommend appropriate steps to ensure data is held securely and follows best practice recommendations, in this instance, ensuring that cloud buckets have appropriate permissions applied to them. Additionally, regular scanning and monitoring to quickly pinpoint misconfigurations or potential malicious activity along with vulnerability management to ensure new patches are quickly adopted are also encouraged.”

Todd Peterson, IAM evangelist, One Identity:

“This case further illustrates how organisations of all kinds are still getting security wrong because generally, security is a hassle to their business. No one likes entering user IDs and passwords and even fewer like entering the second factor of authentication that should be used by all organisations. Server misconfigurations are on the news every week, and in some cases lead to massive data leaks, such as the one suffered by the Ecuadorian civil registry.

 

However, there are options to make the first and second factor of authentication less obtrusive so that users are more prone to do the right thing. Practices such as adapting the requirement based on risk, delegating permissions to prevent sharing of superuser credentials, and implementing multifactor authentication in a manner that is user friendly (such as via an app on the user’s phone) all improve security and minimise disruption.”

Kevin Gosschalk, CEO, Arkose Labs:

“In a digital first economy that we are living in, identity is the true currency. This is because the digital economy is built on data and businesses trying to harness the insights from the vast amount of information they have in order to make real-time decisions across their customer touch points. As the digital commerce has grown, so has fraud, especially on the backs of the high profile breaches that have made personal data available in the dark web.

 

Each breached identity represents a real person behind it who has now been made vulnerable to fraudsters across the globe as they try to monetize the credentials. Often times, the identity abuse only stops when the victim realizes and reports the abuse. This is what makes this particular breach especially nefarious, as many of the victims are children who are not actively tracking or monitoring their digital footprint and identity usage. This gives the fraudsters ample time to farm the identities for mass scale payout, in turn tarnishing the digital footprint of these children even before they enter the digital commerce world.

 

As long as there is money to be made in the world of cybercrime, fraudsters will continue to find a way to breach credentials and subsequently monetize them. It is crucial now more than ever, to take an approach that is rooted in long term eradication of the business of fraud by breaking down the economic incentive.”

Chris DeRamus, CTO, DivvyCloud:

“The misconfiguration of an Elasticsearch server left 20.8 million user records exposed – more than the entire population of Ecuador which is about 16.6 million. We’ve seen numerous times how a misconfiguration can expose nearly every customer of a company, but this might be the first instance in which the people of an entire country were put at risk.

 

Misconfigurations are frightfully common, but there are simple and highly effective ways to prevent them. All organizations, everywhere in the world, should deploy automated cloud security solutions that can ensure databases are configured correctly from the beginning, so there is never a risk of misconfiguration. Even as environments change (which is quite often, especially when dealing with the cloud), these solutions provide continuous monitoring and will alert the appropriate personnel in the event of a change that could lead to a security risk, or even trigger automated remediation in real-time. This way, Elasticsearch databases and other assets never have the opportunity to be exposed, even temporarily.”

Hugo van den Toorn, Manager Offensive Security, Outpost24:

“This is a typical example of a misconfigured system. It should have never been possible for anyone on the Internet, especially without authentication, to access the data stored in the database. Even Elastic themselves quote on one of their recent blogs on securing Elastiscsearch: “It’s especially dangerous if the cluster is connected directly to the Internet where anyone can connect without using a password”.

 

With the countless possibilities of ‘quickly deploying a system in the cloud’, security is -still- often overlooked by organisations. As datasets grow to this size, the data is becoming increasingly valuable to businesses and in some cases even more valuable than money. Unfortunately not everyone protects it like the valuable asset it is.”

Oscar Tovar, application security specialist, WhiteHat Security:

“Data leaks are something that should definitely be taken seriously. Not only do they damage a brand's reputation, but they also hurt the privacy of their clients. One important aspect to note is that even though the data breach occurred for people in Ecuador, the affected servers were hosted in Miami. It is a classic case of negligence on overseas/remote deployment.

 

The biggest lesson that can be taken away is that all personal information should be treated with the highest of concern. There should not be any circumstances where private information storage is exposed publicly. There is no margin for error when it comes to this, since once a leak happens, there is no going back. Following best practices such as network segmentation and the 'least privilege' model helps prevent these kinds of leaks from occurring. Network segmentation is highly important as it prevents high exposure of internal infrastructure. Furthermore, giving only users the least amount of necessary privileges to data access lessens the probability of a data leak.

 

Surprisingly, these heavily recommended practices are not followed commonly. A simple search on shodan.io will show a plethora of S3 buckets, and Database API Endpoints that are publicly accessible without any security restraints. This leak should serve as a reminder that network attached infrastructure should constantly be audited for best practices and recommended security configurations.”

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.