By Gideon Long
Ecuador’s government has rushed a draft privacy law to Congress in response to a massive data breach that left the personal details of more than 20m people exposed on an unprotected internet server.
The breach was discovered by researchers at VPNMentor, an internet company that reviews virtual private network services. VPNMentor said the data were found on an unsecured server in Miami owned by Novaestrat, a data analytics company based in Ecuador.
It included the names of more than 20m individuals — more than its entire population — who hold Ecuadorean identification numbers, including children and dead people, along with their ID numbers, taxpayer IDs, home addresses, email addresses, phone numbers and education and employment records. In some cases, the listings included personal bank details.
The researchers informed the Ecuadorean authorities, who closed the breach on September 11.
In an ironic twist, WikiLeaks founder Julian Assange, one of the world’s best-known handlers of hacked data, was among those affected. He was given Ecuadorean citizenship during the seven years he spent at the country’s embassy in London until his arrest in April. Mr Assange is wanted in the US over his alleged involvement in the leak of classified information.
“We were able to view his name, as well as [a] value that may be a national identification number in Ecuador,” the researchers said
On Monday, Ecuadorean police raided Novaestrat’s offices and arrested its chief executive. He is being questioned in Quito, the capital.
It is not known whether anyone accessed the data before the breach was discovered.
“The database is now closed, but the information may already be in the hands of malicious parties,” VPNMentor warned, adding that the leak “could have been prevented with some basic security measures”.
Ecuador is one of three South American nations — along with Venezuela and Bolivia, that has no data protection law. The government had been crafting one for nearly two years but the leak prompted it to finish its work and send the draft law to parliament on Thursday night.
The legislation recommends fines for companies that misuse data, compensation for victims of data fraud and punishment for companies and individuals that sell data obtained illegally.
Andrés Michelena, telecoms minister, said the draft had been drawn up “in accordance with European guidelines”.
Congress must now decide whether to approve the draft. The head of Congress has said it will be fast-tracked.
“This is part of the process of becoming a digitalised nation,” Mr Michelena said. “The first stage is having protection for personal data.”
The researchers at VPNMentor, who describe themselves as “ethical hackers”, said they had not stored the data or profited from it. “Our goal is to improve the overall safety and security of the internet for everyone,” they added.