Novaestrat Ecuador data leak
An unsecured Elasticsearch server run by Ecuadorian consultancy Novaestrat exposed 20.8 million records covering nearly the entire population of Ecuador, including 6.7 million children, financial records, and vehicle data.
- Victim
- Novaestrat
- records
- 20.8M
- users
- 16.6M
In September 2019, security researchers revealed that an unsecured Elasticsearch server operated by the small Ecuadorian consultancy Novaestrat had exposed roughly 20.8 million records — more than the country's entire living population of about 16.6 million — in what became the largest data breach in Ecuador's history.
What happened
Researchers Noam Rotem and Ran Locar of vpnMentor found an 18-gigabyte Elasticsearch database sitting on a Miami-based server with no authentication. Anyone who knew the IP address could browse it. The data did not come from a single hack; instead, Novaestrat appeared to have aggregated information from multiple sources, including Ecuadorian government registries, the AEADE automotive association, and the state bank BIESS.
Because Ecuador's national civil registry assigns every citizen a unique cédula identifier, the consolidated database effectively re-created the population register — and linked it to family relationships, financial standing, and asset ownership.
Impact
The exposed records included:
- Full names, cédula identification numbers, dates and places of birth, home addresses, phone numbers, and email addresses.
- Data on 6.7 million children under 18, a particularly sensitive category.
- Roughly 7.5 million financial and banking records drawn from BIESS, including account balances and credit information.
- About 2.5 million vehicle and ownership records from the automotive association.
- Entries for prominent figures including then-President LenÃn Moreno and Julian Assange, who had been granted Ecuadorian citizenship.
Response
After being notified, EcuCERT — Ecuador's computer emergency response team — moved to secure the server, which went offline on 11 September 2019. Investigators raided the home of Novaestrat's managing director, identified as William Roberto G., seizing computers, storage devices, and documentation. The telecommunications ministry stated the firm had "obtained the data in an illegal manner," and the manager was arrested.
Why it matters
At the time of the breach, Ecuador had no comprehensive data protection law. The Novaestrat exposure became the catalyst that pushed the National Assembly to fast-track the Ley Orgánica de Protección de Datos Personales, modeled on the EU's GDPR, which was ultimately enacted in 2021. The incident is now the standard cautionary tale in Latin America for two distinct failures: the unchecked aggregation of citizen data by private brokers, and the trivial misconfiguration — a database left open to the internet — that exposed an entire nation.
Timeline
vpnMentor researchers Noam Rotem and Ran Locar discover an unsecured Elasticsearch server hosted in Miami and notify Ecuador's EcuCERT.
EcuCERT intervenes and the exposed database is taken offline.
The breach is made public; researchers report roughly 20.8 million records on nearly every Ecuadorian citizen.
Ecuadorian authorities raid the home of Novaestrat's managing director, William Roberto G., seizing computers and storage devices.
The telecommunications ministry states Novaestrat obtained the government data illegally; the manager is arrested.
Ecuador's National Assembly fast-tracks work on a comprehensive personal data protection law in response.
Sources
- thehackernews.comhttps://thehackernews.com/2019/09/ecuador-data-breach.html
- welivesecurity.comhttps://www.welivesecurity.com/2019/09/17/ecuador-citizens-data-leak/
- cpomagazine.comhttps://www.cpomagazine.com/cyber-security/leak-of-the-personal-information-of-20-million-in-ecuador-data-breach-leads-to-fast-tracking-of-an-improved-data-privacy-law/
- hub.packtpub.comhttps://hub.packtpub.com/an-unsecured-elasticsearch-database-exposes-personal-information-of-20-million-ecuadoreans-including-6-77m-children-under-18