Personal digital data of almost the entire country of Ecuador is compromised. On this incident, CIOs can learn the causes and preventive measures of such massive data breach. Read on to know more…
In case if you are a citizen of Ecuador, chances are that some digital data about you are exposed in a major data breach involving details of 20 million people. Ecuador has a population around 17 million, which means that almost every person could be affected by the latest data breach.
The compromised data includes citizen’s name, gender, date and place of birth, addresses, phone numbers, emails, marital status which were stored on a server in Miami without protection. Other critical data includes national identity card numbers, tax identification numbers, employment records, banking details car-ownership information and the names of living and dead family members of the residents in Ecuador. A spokesperson for Ecuador’s Attorney General’s Office said the details of seven million children was vulnerable to data leaks.
According to cybersecurity firm vpnMentor researchers Noam Rotem and Ran Locar, the unsecured AWS server is owned by Novaestrat, an Ecuadorian data analytics and marketing consultancy firm. The firm Novaestrat said in a statement that “A malicious party with access to the leaked data could possibly gather enough information to gain access to bank accounts and more,”
The massive breach has now been fixed, and it is unknown whether anyone has accessed the information with criminal intent. However, vpnMentor said everyone whose data had been exposed could now be at risk of fraud.
Paula Romo, the interior minister, said those responsible would be held to account. Paula said that “The information we’ve received is very serious,”. Lenin Moreno, Ecuador’s president, said he would introduce legislation to ensure stricter data security.
The CIOs can learn valuable lessons from the Ecuadorian data breach. One of the valuable lesson is that the exposure was due to the availability of all crucial data in a searchable online database that anyone can use. Another key lesson for the CIOs is the security risks in the cloud. Another critical fact is that the server vulnerability uncovered in this case was found in a misconfigured AWS S3 bucket, is a very common one. Most of us are aware that poorly configured servers in AWS is something many administrators struggle with understanding, including how to properly limit access to the data they store in the cloud. Elasticsearch databases in AWS are known to be publicly accessible, and as this is a common setup. Hence it is crucial that enterprises work with their partners to ensure their data is secure.
While the ability to do instant provisioning and scale are valuable benefits to using the cloud, administrators need to take time to understand why and how to put in place appropriate access controls to protect their data. As all of us are aware that no system or person is perfect, the ability to detect and respond to unauthorized or malicious access to platform or infrastructure cloud services can make the difference between a contained security incident and a fully-blown Ecuadorian data breach.
Last but not the least CIOs need to continuously improve their cloud security posture and they need to continuously update their knowledge on AWS security and catch up on the latest expert advice on AWS security tools and practices.