Almost the entire population of Ecuador had their personal data leaked online, security experts said Monday, a massive breach that the government called a "very delicate" issue.
As many as 20 million people, including almost seven million minors and children, may have had their data exposed by a breach on an unsecured server run by an Ecuadorean marketing and analytics firm. All have been put at risk of identity theft after the security breach exposed a trove of data including names, phone numbers and birth dates.
Ecuadorian President Lenín Moreno said he would push through legislation to ensure stricter data security, while Interior Minister María Paula Romo vowed to hold those responsible accountable.
The information that I can share with you at this moment is that this is a very delicate issue, it is a major concern for the whole of the government and the state," said Interior Minister Maria Paula Romo. "The information we've received is very serious."
The security company vpnMentor uncovered the breach on an unsecured server located in Miami run by the firm Novaestrat, which included citizens' full names, dates and places of birth, education levels, phone numbers and national identity card numbers. Researchers said the server contained information on over 20 million individuals, most of whom reside in Ecuador. The small South American nation is home to just over 17 million people, meaning nearly everyone could have been exposed.
ZDNet, the cybersecurity website that first reported the breach, said there was even data on the country's president and on Julian Assange, the Wikileaks founder who applied for asylum in Ecuador and who spent years holed up in the country's London embassy before being arrested this year by British police.
As part of his application for asylum, Assange was issued with an Ecuadorean identity card.
The security company contacted Ecuador's Computer Emergency Response Team to secure the leaked data, ZDNet said.
Romo said the government was "working on an investigation which will permit us in the coming hours to assess who is responsible for what happened."
"I hope, too, that in the hours to come, the Telecommunications Ministry will be able to assess more thoroughly technical information about data protection," she said.
Experts said Ecuador does not have mechanisms in place requiring companies to protect personal data.
According to vpnMentor, the server in question is owned by Ecuadorian company Novaestrat, which did not respond to requests for comment from The Associated Press.
It wasn't immediately clear if anyone had wrongfully accessed the data. And while vpnMentor said the breach was closed Wednesday, it also noted the impact can be long lasting.
The information could potentially be used to commit everything from phone scam to business fraud.
"A malicious party with access to the leaked data could possibly gather enough information to gain access to bank accounts and more," the firm said in a statement.
The data includes national identity card numbers, tax identification numbers and even names of relatives.
The breach is one of several large-scale security lapses exposing the personal data of millions this year.
In July, Capital One said a hacker had accessed the personal information of 106 million credit card holders or credit card applicants in the United States and Canada.