- Click to share on Facebook (Opens in a new window)
- Click to share on Twitter (Opens in a new window)
- Click here to share on LinkedIn (Opens in a new window)
- Click to email a friend (Opens in a new window)
(CNN) - More than 20 million people, including about 7 million children, were exposed to a massive data leak in Ecaudor that was discovered by the internet security firm vpnMentor during a routine project.
Detailed information on potentially all Ecuadorians was leaked on the Internet, which means a massive and unprecedented national data breach, according to authorities.
Ecuador is home to approximately 16.5 million people, which means that the entire population could have been affected. The few additional millions may be due to the fact that the leaked data also included the details of the deceased, according to the Attorney General of the Ecuadorian State.
It is not known at this stage precisely how many living Ecuadorians have been affected.
- Government of Ecuador investigates alleged massive data leakage of almost all its citizens
According to the vpnMentor report, published on Monday, the violation was discovered on an unsecured server in Miami, which appeared to be owned by the Ecuadorian consulting and analysis company Novaestrat.
The violation exposed a large amount of personal information for the affected millions: their full names, date and place of birth, address and email address, national identification numbers and taxpayer numbers, employment information and more.
In the raid on the house of William Roberto G., the researchers seized computers, documents and electronic devices.
Financial information was also leaked, including account statement, balance and credit type of bank customers.
Even information from Wikileaks founder Julian Assange was among the treasury of leaked data, according to the report. Assange received political asylum and lived at the Ecuadorian embassy in London from 2012 to this year.
Exclusive: Surveillance reports reveal how Assange transformed an embassy into an operations center to interfere with the 2016 U.S. election.
VpnMentor reported the violation to Ecuadorian officials on September 11, according to the country's Ministry of Telecommunications. The leak closed quickly, but the damage was done.
"Once the data is exposed to the world, it cannot be undone," the vpnMentor report warned. "The database is now closed, but the information may already be in the hands of malicious parties."
The leak now puts individuals and businesses at risk of identity theft, financial fraud, commercial espionage and other security threats, according to the report.
Authorities arrested William Roberto G., legal representative of Novaestrat, on September 16, 2019.
So are the investigations
Ecuadorian authorities are rushing to address data leakage.
On Monday, the Prosecutor's Office and a Federal Police force raided the house of Novaestrat's legal representative, William Roberto G., confiscating electronic equipment and computers. Later, the police found him and arrested him in the province of Esmeraldas, in northwestern Ecuador.
"He will be transferred immediately so that the Prosecutor's Office of Ecuador can gather information in the framework of the investigation he is carrying out," tweeted Interior Minister Maria Paula Romo.
This afternoon / night the @PoliciaEcuador made the search of the place designated as the address of #Novaestrat which is also the address of one of its managers.
Raid was done with a judge's order in the framework of the investigation conducted by @FiscaliaEcuador pic.twitter.com/toD79a1FDO
- María Paula Romo (@mariapaularomo) September 17, 2019
"If it is confirmed that they attempted against the personal privacy of Ecuadorians, it is a criminal offense that must be punished," said Telecommunications Minister Andrés Michelena on Twitter.
On Monday night, Michelena said a personal data protection bill that had been in progress for months would be sent to the National Assembly within 72 hours.
This violation was not a data hack or a cyber attack on government databases, the Telecommunications Ministry said in a statement. The Ministry added that the security systems of government institutions were up to date and could identify and counteract the attacks, and that Novaestrat could have carried out this violation in collaboration with former officials who had access to the information.