Ecuador has begun an investigation into a sprawling data breach in which the personal data of up to 20 million people, more than the country’s population, was made available online.
The inquiry began after vpnMentor, an internet security firm, alerted the authorities to the enormous security failure, which included the exposure of the data of adults and children, both dead and alive. Ecuador has a population of over 16 million people.
Ecuadorean officials said in a statement on Tuesday that they had detained a man identified as William Roberto G., whom they described as the legal representative of Novaestrat, an online data consulting firm in the province of Esmeraldas, and taken him for questioning in the capital, Quito. The company was suspected of being responsible for the information breach, a statement from the attorney general’s office said.
Names, social security numbers and contact information were among the elements contained in the exposed files, according to a report published on Monday by vpnMentor. One of the most worrying aspects of the episode, the report said, was that the data included information about peoples’ family members.
Other sections of the database contained employment information, including job titles and salaries, and bank details, such as account numbers and current balances.
The data appeared to come from Ecuadorean government registries, an automobile association and a state-owned bank, according to vpnMentor. It was discovered on an unsecured server in Miami, and the breach was closed on Sept. 11, the company’s report said.
Among the data, vpnMentor said, was an entry, including the national identification number, for Julian Assange, the founder of WikiLeaks, who lived in the Ecuadorean Embassy in London from 2012 until this year.
A statement from the attorney general on Monday did not indicate whether anyone had gained access to the data while it had been vulnerable.
Both the scale and source of the breach recalled the theft in July of the personal information of as many as five million Bulgarians, nearly the country’s entire adult population, from the national tax agency. That breach highlighted the vulnerability of data held by national institutions and the danger of hackers’ taking advantage of weak security.
A self-proclaimed hacker, who called Bulgaria’s cybersecurity “a parody,” claimed responsibility. The authorities arrested two workers and the owner of a cybersecurity firm, Tad Group, shortly after reports of the breach came out. The workers were charged with terrorism, while investigations into the owner’s possible involvement continued.