Image: Andrés Michelena Ayala

Ecuadorian authorities have arrested the executive of a data analytics firm after his company left the personal records of most of Ecuador's population exposed online on an internet server.

The arrest is part of an official investigation that Ecuadorian officials got underway after ZDNet and vpnMentor published articles yesterday, exposing the massive breach, the biggest in the country's history.

According to our reporting, a local data analytics company named Novaestrat left an Elasticsearch server exposed online without a password, allowing anyone to access its data.

The data stored on the server included personal information for 20.8 million Ecuadorians (including the details of 6.7 million children), 7.5 million financial and banking records, and 2.5 million car ownership records.

Investigation underway

The news that his staggering amount of information had leaked online sent a shockwave through the small South American country, but the Ecuadorian government reacted immediately.

In a press conference held on Monday, after news of the massive breach broke, the Ministry of Telecommunications and Information Society announced an investigation into Novaestrat, the source of the leak.

Officials said the company was not supposed to be in possession of the data it had, and that the company and its managers had been put under investigation on charges of violation of privacy and dissemination of personal information without authorization.

Ministry officials said they were still looking into how the company got hold of so much sensitive information; however, they said the company did not hack or breach any of Ecuador's government servers.

Officials said they believed that Novaestrate might have gained access to government data during the former political regime, between 2015 and 2017, when it was awarded several government contracts.

Arrest made on the same day

After the formal investigation's announcement, local law enforcement forces moved in pretty quick. Hours later, federal police raided Novaestrat's office, which also served as the home of Novaestrat general manager William Roberto G..

Authorities seized computer equipment from the executive's home, and took the Novaestrat executive under custody a few hours later, across the country, in Ecuador's Esmeraldas region, according to a tweet from María Paula Romo, Ecuador's Interior Minister.

Esta tarde / noche la @PoliciaEcuador realizó el allanamiento del local señalado como domicilio de #Novaestrat que es además el domicilio de uno de sus directivos.



Allanamiento se hizo con orden de juez en el marco de la investigación que conduce @FiscaliaEcuador pic.twitter.com/toD79a1FDO — María Paula Romo (@mariapaularomo) September 17, 2019

Hace pocos minutos @PoliciaEcuador retuvo, en la provincia de Esmeraldas, al señor William Roberto G.



Gerente de #Novaestrat



Será trasladado de inmediato para que @FiscaliaEcuador pueda recabar información en el marco de la investigación que realiza. — María Paula Romo (@mariapaularomo) September 17, 2019

The State Attorney General's Office later confirmed Romo's social media posts.

New privacy law

But the massive privacy breach also served as a wake-up call for the local government. In the aftermath of the breach, Ecuador's president asked government officials to expedite the process of passing a new data privacy law.

In a statement on the Ministry of Telecommunications website, Telecommunications Minister Andres Michelena Ayala confirmed that his ministry would comply with the president's request, and submit a new law to the parliament in the next three days.

Michelena said his office has been working on the new data privacy law for the past eight months.