BREACH: Data Leak Exposes Personal ID’s of Over 14 Million Chilean Citizens
WizCase has discovered a database leak that contains identifiable information for over 14 million Chilean residents, aged 17+. The 3 GB database was hosted by Softlayer Technologies in Dallas, Texas, USA, but they are not responsible for the leak.
Editor’s note: The Chilean Electoral Service has confirmed the authenticity of this data, but denied they run the leaky server.
What’s Going On
Daniel Brown, a cybersecurity team leader at WizCase and white-hat hacker (or hacktivist), found a database leak that contains data on nearly every Chilean adult. Our team has tried to identify the owners of the database but it still remains unclear.
Therefore we decided to contact the hosting company instead, on the 30th of July.
A snippet from the leaked database
The database includes:
- RUT Number – This is a national ID number, similar to a social security number. It can be used to open bank accounts, credit card, online purchases and more.
- ID Number – After some research, we determined that this isn’t a passport ID number as it is not a 9-digit ID. We believe that this might be an internal identification number
Who Is Affected by This Leak?
According to census data from the World Population Review, there are an estimated 14.5 million adults in Chile, so it’s safe to assume that this database contains the entire adult population of the country.
We did a quick search, and we were able to find the RUT number and address for the Chilean President Sebastián Piñera, along with former President Michelle Bachelet.
Personal information found on President Piñera and Former President Bachelet
This data can be extremely valuable if it falls into the wrong hands. The RUT (Rol Único Tributario) is a Tax ID number (it’s the same number as a RUN (Rol Único Nacional) which is a civil register ID number) and it is required for any financial moves such as:
- Buying a house
- Buying a car
- Opening a bank account
- Collecting loyalty points at a store
- Getting a telephone
Once the hacker has a person’s full name, address, tax ID and civil registry ID, it would be easy to target the person in a variety of financial fraud scams and identity theft.
Additionally, by accessing a person’s private address it could set them up for a robbery by simply checking in on their social media accounts and tracking their whereabouts since their physical address was leaked.
How Did it Happen? How Can it be Avoided
The leak occurred due to an unsecured Elasticsearch engine on an exposed server. The default setting for Elasticsearch requires no authentication mechanism since it’s meant to be installed in internal networks. If such a server is open to the internet then anyone with the IP address and port number could access it.
A good “security in-depth” approach would have helped secure the data. Meaning, setting up several lines of defense in case some are bypassed or misconfigured. For example, if the server is configured improperly (not behind a firewall/exposed/etc.)then the second line of defense (password authentication) would have helped secure the data.
Who is Wizcase?
WizCase is an international cybersecurity website, with a focus on unbiased VPN reviews and tutorials. Our security research team includes some of the leading white hat hackers who are continually searching for significant data leaks. Before releasing our research to the public, we first attempt to contact the companies so they can plug the leak, and securing their user’s data.