A database containing the details of nearly every citizen of Ecuador, including children, has been found exposed online in the latest case of a misconfigured Elasticsearch server.

Discovered by security researchers at vpnMentor, the database contained data of over 20 million people, the majority being from Ecuador, a country of 16.7 million people. The database was on a server belonging to Ecuadorian consulting company Novaestrat and the data believed to have come from Ecuadorian government registries, an automotive association called Aeade and Biess, an Ecuadorian national bank.

Stories of exposed data on cloud instances are appallingly common, but this leak differs in the depth of the data for each person on the database. The data included full name, gender, birth date, place of birth, home and email addresses, phone numbers, marital status, level of education, date of marriage, date of death (where applicable), family tree information and national ID card numbers.

Bank records, all tied to individuals in the database, included account number, account status, balance, credit type, amount financed and even at which branch they opened their accounts. Employer data and car registration details were also found in the database.

One of the records on the database included the full details of Julian Assange, the Australian founder of Wikileaks who spent seven years in the Ecuadorian Embassy in London after being granted political asylum in 2012.

The database was secured on Sept. 11 after vpnMentor contacted Novaestrat. It remains unknown whether the database had been downloaded by bad actors but the risk that it was is very real.

“Of highest concern is the physical dangers this exposed information could lead to — from burglaries and home invasions to kidnappings,” Alexander García-Tobar, chief executive officer and co-founder of business email compromise protection firm Valimail Inc., told SiliconANGLE. “Often when we hear of data leaks, people tend to only think of the cyber implications, but in this incident, the physical risks are very real and very serious.”

Among other repercussions, he added, this kind of data is more than enough for cybercriminals to orchestrate sophisticated business email compromise scams, in which a cybercriminal impersonates the identity of a trusted business partner or coworker in order to launch convincing attacks targeting companies for monetary gain.

Kevin Gosschalk, chief executive officer of app security firm Arkose Labs Inc., emphasized the value of personally identifiable information, saying that in a digital economy, identity is the true currency.

“This is because the digital economy is built on data and businesses trying to harness the insights from the vast amount of information they have in order to make real-time decisions across their customer touch points,” Gosschalk said. “As digital commerce has grown, so has fraud, especially on the backs of the high-profile breaches that have made personal data available in the dark web.”

Gosschalk added that often the identity abuse only stops when the victim realizes and reports it. “This is what makes this particular breach especially nefarious, as many of the victims are children who are not actively tracking or monitoring their digital footprint and identity usage,” he said. “This gives the fraudsters ample time to farm the identities for mass scale payout, in turn tarnishing the digital footprint of these children even before they enter the digital commerce world.”

Photo: yamilsalinas/Flickr