A routine data project revealed that the personally identifying information of the entire nation of Ecuador might be online for all to see--just like, potentially, your data.
The information included records belonging to deceased citizens and more than 7 million minors. It was discovered by researchers from the security firm vpnMentor while conducting "a wide-scale Web mapping project."
According to vpnMentor's report, the ongoing project made the discovery possible by scanning ports "to find known IP blocks." It then searches for "vulnerabilities in the system that would indicate an open database." When a compromise is discovered, the company then traces the data back to its source and delivers the bad news.
While the full extent of the damage done here is not clear, it's sure sounds like a potentially Titanic-meets-iceberg level event.
What We (and the Bad Guys May) Know
The extremely granular personal information of more than 20 million people was exposed. Ecuador's population is 16.5 million, which means nearly 4 million of the individuals affected may be deceased.
The data included personal and corporate tax ID numbers and bank account information--including current balance in the account, amounts financed, credit types, and the location of a bank branch used by an individual. The same information about family members was also available, as well as how people in the data set were related to each other.
All the essential information needed for account authentication and/or takeover were there, too. A short list of the available data included full name (first, middle, last); gender; date and place of birth; home and work addresses; email addresses; home, work, and cell phone numbers; marital status; date of marriage (where applicable); date of death (where applicable); and the highest level of education achieved.
WikiLeaks founder Julian Assange was even in there, Ecuador's most famous asylum seeker.
Describing itself as an organization of ethical hackers, vpnMentor said in its statement about the discovery that it never sells, stores, or exposes compromised information, but rather uses the existence of a compromise or leak as a teachable moment.
Teachable Moments Are Expensive
Sponsored by IBM Security and independently conducted by the Ponemon Institute, the 13th-annual Cost of Data Breach Study found that the average per-record cost of a breach was $148 last year. That would put the cost of this compromise at nearly $3 billion.
So, what can we learn from this data debacle? The compromise was caused by--wait for it--a third-party vendor. According to CNN, the breach was found on an unsecured server in Miami, which appeared to be owned by an Ecuadorian consulting and analytics company called Novaestrat. While it remains unclear as to how Novaestrat gained access to the government database, it is presumed that someone currently, or formerly, in the Ecuadorian government handed over the data--no matter the reason--and in the process potentially exposed it to criminals around the world.
The first takeaway should be that you are only as secure as your least secure vendor and/or collaborator. In the realm of cyber-liability, that and three bucks will get you a cup of coffee to sip while you wait for the submarine to the unemployment line at the bottom of Loon Lake.
This sort of mistake keeps happening because people continue to doubt the persistent and pervasive threats we face in the business community and beyond.
It matters because the information exposed in this incident was sufficient for a competent identity thief to commit every imaginable identity-related crime. There's gold and endless liability in them thar hills of data.
What You Can Do
Practice the 3Ms.
Minimize your exposure: Vet your vendors! Foster a culture where everyone from the mailroom to the boardroom is invested in privacy and data security. Train your employees from their first day and have an ongoing discussion about best security practices. Create a map of information access, and make sure your most sensitive data is only available to those who need to have access and practice proper cybersecurity protocols to keep the data safe. Have a sensible BYOD (Bring Your Own Device) policy, and remind employees about the importance of installing updates on connected devices. Hire a chief information security officer--never leave your security solely to the IT department.
Monitor your networks and your assets: Make sure regular assessments are conducted on the security of all your data assets--and don't wait for a call from a "white hat" hacker.
Manage the damage: How an organization responds to a breach or compromise is a defining moment. It is crucial that you act urgently, transparently, and empathetically. In order to avoid an extinction-level event, have a robust incident response plan. Have a media plan, and consider putting a crisis management firm on retainer. Game various scenarios and have a team in place to help your clients, as well as both in-house and third-party experts who understand the timing and notification requirements in each state for various regulators, law enforcement officials, insurance companies, employees, and customers.
Can your company really afford to roll the dice on cybersecurity?