Security News Survey – September 20, 2019

This week, we look at data breaches affecting the entire population of Ecuador, millions of Lion Air passengers, and masses of medical records worldwide.

Imagine having every one of your fellow countrymen’s data exposed. In the U.S., it felt as though we came pretty close to that when major consumer credit reporting agency Equifax announced that a data breach compromised the personal information of nearly 150 million people. For the residents of Ecuador, however, a nation-wide data breach appears to have become a reality.

Entire population of Ecuador compromised by unsecured server

In what many are calling an “unprecedented national data breach,” it would seem that a major data breach has compromised the information of potentially every one of Ecuador’s 16.5 million residents. Security researchers discovered that an unsecured Elasticsearch server managed by an Ecuadorian data analytics firm was publicly accessible and contained sensitive information of over 20 million people (it is speculated that the additional few million people affected could be those who are deceased). Anyone who has accessed the database, however, hit the jackpot with the variety of information housed inside: names, dates of birth, national ID card numbers, tax ID numbers, and more. At this time, it’s unclear who, if anyone, accessed the data before the server was locked down earlier this month. Ecuadorian officials have arrested an executive of the data analytics firm. 

Lion Air data breach exposes millions

Another airline has a data breach on its hands. This time, it’s Indonesian budget airline Lion Air—the second-largest budget airliner in Southeast Asia. New security research has revealed that personal data of millions of passengers of Lion Air brands Malindo Air and Thai Lion Air was left exposed via an unsecured AWS server. Security researchers have discovered that at least 35 million records have been circulating online. Compromised data includes names, dates of birth, passport numbers, contact information, and more. 

Airlines have proven to be a popular target for data breaches in the last couple of years, with major data breaches hitting international airlines like British Airways, Air Canada, and Cathay Pacific. 

Millions of medical records publicly available online 

And we’re rounding out this week’s survey with yet another unsecured server—or rather, many servers. Early this week, security researchers revealed that 187 servers country-wide have been exposing medical information (including images such as X-rays, MRIs, and CT scans) of millions of individuals. And just a day after this report, another study revealed that the medical data of 24.3 million patients is publicly available on the internet via unsecured servers. Data included medical imagery along with patient names, dates of birth, and certain details of the examination. 

These latest revelations are adding to the increasing scrutiny placed on organizations in the healthcare industry, which is leading the pack in volume of exposed records so far this year.