
Unprotected database exposes sensitive data of over 20M Ecuadoreans - mojoraja
https://cyware.com/news/unprotected-elasticsearch-database-exposes-sensitive-information-of-over-20-million-ecuador-citizens-58e5add8/
======
phasnox
If you think this is bad, there is a horrible security hole in the site of the
National Transit Agency.

They have the most imbecile password recovery mechanism: With only the
national id of the victim(cedula) you can recover their password!

I'm not talking about RESETING the password, I mean they sent you the literal
password that was set during account creation to ANY email you input.

This is the state and reflection of the incompetence, rot and corruption of
our current and past Government.

~~~
warp
The SRI (tax office?) publishes convenient CSVs with info on each tax payer,
which includes RUC, full name and address.

For self-employed people I believe the RUC is the Cedula with "001" appended.
So it is easy to look up the Cedula of many people (I moved to Ecuador in
2014, my info is in that file).

[https://www.sri.gob.ec/web/guest/catastros](https://www.sri.gob.ec/web/guest/catastros)

~~~
phasnox
Oh god, I just grepped and found myself in there.

------
llarsson
There needs to be fines for when stuff like this happens. The bottom line is
all that matters to bosses, so unless engineers can credibly point to the
economic impact of poor security decisions, these things will keep happening.

------
argd678
The main problem with a lot of personal data is that it’s used for
identification right? There are other issues of course, but wouldn’t it make
sense to assign everyone a cryptographic key that’s just used for
authentication?

~~~
SahAssar
From the cached site (it seems to have been taken down since the news broke)
it seems that this dataset was more used for marketing:
[https://webcache.googleusercontent.com/search?q=cache:http%3...](https://webcache.googleusercontent.com/search?q=cache:http%3A%2F%2Fwww.novaestrat.com%2F)

You are right about providing a more proper digital authentication solution
for citizens, and at least one country has this[0], but in this case it just
seems that the data was being kept/exploited for no better reason than
marketing and that the company should not have had access to it from the
start.

[0]: [https://e-estonia.com/solutions/e-identity/id-
card/](https://e-estonia.com/solutions/e-identity/id-card/)

------
farisjarrah
These sorts of things keep on happening all over the world. Last big breach I
read about was unsecured s3 buckets. Should AWS and Elastic and other software
infrastructure providers allow for these things to be deployed
unauthenticated? Not saying its their fault that these security breaches
happen, but its been pretty evident that many of their customers do not
understand security. Maybe the solution is to just default to a more secure
system out of the box, and make it much more difficult to make your system
insecure.

------
lervag
According to Wikipedia [0], the population of Ecuador is 16-17 million. Does
this database include dear people as well?

[0]:
[https://en.m.wikipedia.org/wiki/Ecuador](https://en.m.wikipedia.org/wiki/Ecuador)

~~~
Pete_D
According to the zdnet report
([https://news.ycombinator.com/item?id=20984119](https://news.ycombinator.com/item?id=20984119),
[https://www.zdnet.com/article/database-leaks-data-on-most-
of...](https://www.zdnet.com/article/database-leaks-data-on-most-of-ecuadors-
citizens-including-6-7-million-children/)), yes: "The bigger number comes from
duplicate records or older entries, containing the data of deceased persons."

