The detailed information of potentially every person in Ecuador has been leaked online, in a massive and unprecedented national data breach, it was revealed on Monday.
More than 20 million people, including an estimated 7 million minors, were exposed in the leak, which was uncovered by internet security firm vpnMentor during a routine project.
Ecuador is home to about 16.5 million people, meaning that the entire population could have been affected. The additional few million may be because the leaked data also included the details of deceased individuals, according to the Ecuadorian State Attorney General’s Office.
It is not known at this stage precisely how many living Ecuadorians have been affected.
According to the vpnMentor report, released Monday, the breach was found on an unsecured server in Miami, which appeared to be owned by Ecuadorian consulting and analytics company Novaestrat.
The breach exposed a host of personal information for the millions affected — their full names, date and place of birth, home and email addresses, national identification numbers and taxpayer numbers, employment information, and more.
Financial information was also leaked, including bank customers’ account status, balance, and credit type.
Even Wikileaks founder Julian Assange’s information was found among the trove of leaked data, said the report. Assange was granted political asylum and lived in the Ecuadorian embassy in London from 2012 until this year.
VpnMentor reported the breach to Ecuadorian officials on September 11, according to the country’s telecommunications ministry. The breach was quickly closed, but the damage was done.
“Once data has been exposed to the world, it can’t be undone,” warned the vpnMentor report. “The database is now closed, but the information may already be in the hands of malicious parties.”
The leak now places individuals and companies at risk for identity theft, financial fraud, business espionage, and other security threats, the report said.
Ecuadorian authorities are now racing to address the breach.
On Monday, prosecutors and a federal police force raided the home of Novaestrat’s legal representative, William Roberto G., seizing electronic equipment and computers. Later that evening, the police found and detained him in Ecuador’s northwestern Esmeraldas province.
“He will be transferred immediately so that the Ecuador prosecutor can gather information in the framework of the investigation that is taking place,” tweeted Interior Minister Maria Paula Romo.
“If it’s confirmed that they violated the personal privacy of Ecuadorians, it is a criminal offense that must be punished,” said Telecommunications Minister Andres Michelena on Twitter.
On Monday evening, Michelena said a personal data protection bill that had been in the works for months would be sent to the National Assembly within 72 hours.
This breach was not a data hack or cyber attack on government databases, the telecommunications ministry said in a statement on its site. It added that government’s institutions’ security systems were up-to-date and able to identify and counteract attacks, and that Novaestrat may have carried out this breach in collaboration with former civil servants who had information access.