The Ecuadorian government has given itself 72 hours to finish drafting a national privacy law following a massive data breach that put the personal information of perhaps its entire population at risk.
The announcement, made Monday by Minister of Telecommunications and the Information Society Andres Michelena Ayala, came after reports that data analytics company Novaestrat left an exposed U.S. server online. That server reportedly stored the personal and financial information of 20.8 million Ecuadorians, including 6.7 million children.
“It is not a hacking or a cyber-attack on state databases,” Ecuador’s Telecommunications Ministry announced in a translated statement. “All government institutions have updated security systems that allow identifying and counteracting possible attacks and intrusions. It is presumed that these databases have been fed through the possible commission of a crime by the company Novaestrat SA with the alleged collaboration of former public officials of the previous regime who had access to this information and through access to this information in the execution of contracts in the years 2015-2017.”
The breach was discovered by internet security firm vpnMentor and reported on Sept. 11. The database has since been shut down, but the damage “can’t be undone,” the firm stated in its report, which also revealed Wikileaks founder Julian Assange was among those affected. Assange, when granted political asylum, lived in London’s Ecuadorian embassy from 2012 until his arrest earlier this year.
Ecuador is home to roughly 16.5 million people—and the greater number of potentially affected individuals by the breach might be attributed to records of the deceased also being exposed, the Ecuadorian State Attorney General’s Office alluded to.
In the aftermath, Novaestrat Legal Representative William Roberto G was arrested following a raid at his home Monday.
As part of the fallout of the breach, Ecuador is rushing to restore order with a blanket privacy law. The country has been working on the legislation for eight months, according to Ayala.
“We as Government and by provision of President Moreno, in a term not exceeding 72 hours, we will issue the Law on Protection of Personal Data,” Ayala said in a translated statement. “… It will be a reason precisely to correct any distortion that has occurred in the previous regimes, with the previous systems to protect the data of all Ecuadorians.”
The draft law will be submitted to the National Assembly. At present, Ecuadorian legislation does not have effective legal mechanisms for the protection of personal data, according to the Telecommunications Ministry.