Unsecured database of 16.6 million Ecuadorean citizens found by security researchers

The comprehensive personal details of Ecuador's citizens - encompassing financial information - included an entry for President Maduro

An unsecured, database leaking personal details of almost every Ecuadorean citizen has been found on the internet by researchers at cyber security firm vpnMentor.

The unprotected database was uncovered about two weeks ago and contains comprehensive details, including full names, dates of birth, marital status, ID numbers, family details and even financial details.

It was so comprehensive that the researchers claim that they were even able to find the record of the country's president, Nicolás Maduro, in the database.

Although the entire population of Ecuador is around 16.6 million, the database was found to contain approximately 20.8 million user records. The researchers said many entries in the database are also duplicate or old - containing details of deceased citizens.

Nearly 6.77 million records in the database correspond to children under the age of 18. According to ZDNet, the data goes all the way from 2002 to 2019, and appears to have been populated from Ecuadorian government's civil registry, as well as, from private databases.

The data collected from the government's civil registry appeared to the be highly extensive, containing entries with citizens' full names, home addresses, dates of birth, places of birth, marital status, phone numbers, national ID numbers, educational details and work information.

Researchers also found two indexes in the database labelled with acronyms of private entities: the Ecuadorian national bank BIESS (the Banco del Instituto Ecuatoriano de Seguridad Social) and the Ecuadorian Association of Motor Companies AEADE (Asociación de Empresas Automotrices del Ecuador).

Records linked with BIESS (approximately seven million) contained financial details, such as an individual's account status, credit type, account balance, and information about the account owner. It is not clear whether the financial details of President Maduro, former president Chavez or family members were also found in the database.

The entries associated with AEADE (approximately 2.5 million) also contained details on car owners, their car models, licencee plates and so on.

When researchers tried to discover details about the database owner, they found that it belonged to a local Ecuadorean company named Novaestrat, which is said to provide analytics services for the Ecuadorian market.

The leaking database was eventually secured on 11 September after vpnMentor notified the Ecuador Computer Emergency Response Team about the database, which likely instructed Novaestrat to secure its database.

This is, however, not the first instance of a database leak exposing personal information on millions of people in country.

In March, an unsecured database in China leaked the personal information on more than 1.8 million women, also revealing their "BreedReady" status.

Also in March, 18 MondoDB databases in China were found to be exposing personal details of millions of accounts on six social platforms in the country.