Ecuador Data Breach

Written by: Chase Langhorne, Esq.

On September 16th the State Attorney General’s Office of Ecuador released a statement (Spanish) indicating that a privacy breach concerning the personal data of Ecuadorian citizens was being investigated. Specifically, servers belonging to Novaestrat, an Ecuadorian data analytics company. The breach was first discovered by the ethical-hacking group vpnMentor. Further investigation has revealed that the breach involved personal data of more than 20 million Ecuadorian citizens, including about 7 million children (some born as early as this spring). The population of Ecuador is only about 16.5 million so this database could potentially contain the personal data of every Ecuadorian citizen. The State Attorney General’s Office clarified that this number does include deceased citizens.

The server was located in Miami, Florida and was unsecured for an unknown amount of time. Novaestrat informed Ecuadorian authorities that the breach was closed on September 11th, but it remains to be seen how long unauthorized users could have had access to the personal data.

As a result, Ecuador’s government has fast tracked a draft of a data protection law to Congress. Ecuador has been in the process of drafting a data protection law for the past two years, but, for obvious reasons, produced a draft just days after the news of the breach broke. The data protection law is reportedly drafted “in accordance with European guidelines.”

The draft law establishes the National Personal Data Protection Authority (NPDPA) which will be the official Ecuadorian data protection authority in charge of overseeing rules and regulations surrounding data privacy. The draft law also calls for a National Database Registry which will require that all databases with financial and commercial ends must be registered with the National Personal Data Protection Authority. This type of national registry is not common, but is employed by some countries around the world. We will have to keep an eye out to see if the NPDPA provides further guidance that would limit the requirement of this database registration to certain industries. For example, some countries only require databases containing “sensitive information” (defined differently by each country) be registered. Overall, it is good to see countries taking an interest in their citizens’ personal data, however, it is unfortunate the sense of urgency was sparked by a breach.