Disclosures:
Our Reviews

WizCase includes reviews written by our experts. They evaluate the products/services in accordance with their professional standards.

Ownership

Kape Technologies PLC, the parent company of Wizcase, owns CyberGhost, ZenMate, Private Internet Access, and Intego, which may be reviewed on this website.

Referral fees

Wizcase may earn an affiliate commission when a purchase is made using our links. However, this has no influence on the content of the reviews we publish or on the products/services reviewed. Our content may include direct links to buy products that are part of affiliate programs.

Reviews standards

All reviews published on Wizcase meet our strict reviewing standards, in order to ensure that each review is based on the reviewer's independent, honest, and professional examination of the product/service. Such standards require the reviewer to consider the technical qualities and characteristics of the product alongside its commercial value for users, which may affect the product's ranking on the website.

BREACH: Data Leak Exposes Personal ID’s of Over 14 Million Chilean Citizens

Cyber Research Team
Published by Cyber Research Team on August 01, 2019

WizCase has discovered a database leak that contains identifiable information for over 14 million Chilean residents, aged 17+. The 3 GB database was hosted by Softlayer Technologies in Dallas, Texas, USA, but they are not responsible for the leak.

Editor’s note: The Chilean Electoral Service has confirmed the authenticity of this data, but denied they run the leaky server. 

What’s Going On

Daniel Brown, a cybersecurity team leader at WizCase and white-hat hacker (or hacktivist), found a database leak that contains data on nearly every Chilean adult. Our team has tried to identify the owners of the database but it still remains unclear.

Therefore we decided to contact the hosting company instead, on the 30th of July.

Chile Hack

A snippet from the leaked database

The database includes:

  • Name
  • Gender
  • Address
  • Age
  • RUT Number – This is a national ID number, similar to a social security number. It can be used to open bank accounts, credit card, online purchases and more.
  • ID Number – After some research, we determined that this isn’t a passport ID number as it is not a 9-digit ID. We believe that this might be an internal identification number

Who Is Affected by This Leak?

According to census data from the World Population Review, there are an estimated 14.5 million adults in Chile, so it’s safe to assume that this database contains the entire adult population of the country.

We did a quick search, and we were able to find the RUT number and address for the Chilean President Sebastián Piñera, along with former President Michelle Bachelet.

Data for Chile President and Former President

Personal information found on President Piñera and Former President Bachelet

This data can be extremely valuable if it falls into the wrong hands. The RUT (Rol Único Tributario) is a Tax ID number (it’s the same number as a RUN (Rol Único Nacional) which is a civil register ID number) and it is required for any financial moves such as:

  • Buying a house
  • Buying a car
  • Opening a bank account
  • Collecting loyalty points at a store
  • Getting a telephone

Once the hacker has a person’s full name, address, tax ID and civil registry ID, it would be easy to target the person in a variety of financial fraud scams and identity theft.

Additionally, by accessing a person’s private address it could set them up for a robbery by simply checking in on their social media accounts and tracking their whereabouts since their physical address was leaked.

How Did it Happen? How Can it be Avoided

The leak occurred due to an unsecured Elasticsearch engine on an exposed server. The default setting for Elasticsearch requires no authentication mechanism since it’s meant to be installed in internal networks. If such a server is open to the internet then anyone with the IP address and port number could access it.

A good “security in-depth” approach would have helped secure the data. Meaning, setting up several lines of defense in case some are bypassed or misconfigured. For example, if the server is configured improperly (not behind a firewall/exposed/etc.)then the second line of defense (password authentication) would have helped secure the data.

Who is Wizcase?

WizCase is an international cybersecurity website, with a focus on unbiased VPN reviews and tutorials. Our security research team includes some of the leading white hat hackers who are continually searching for significant data leaks. Before releasing our research to the public, we first attempt to contact the companies so they can plug the leak, and securing their user’s data.

Did you like this article? Rate it!
I hated it I don't really like it It was ok Pretty good! Loved it!
4.67 Voted by 6 Users
Title
Comment
Thanks for your feedback
Cyber Research Team
The WizCase Cybersecurity Research Team aims to investigate and uncover the latest threats on the internet. The global research team uses ethical hacking methods to shine a light on data breaches, privacy leaks, and security flaws within online communities and organizations.