Unprotected Elasticsearch database exposes voter information of over 14.3 Million Chileans

• The leaky database contained names, gender, age, addresses, and tax ID numbers (RUT, or Rol Único Tributario) of 14,308,151 individuals.
• The owner of the open database still remains unknown, however, the researcher learned that the database is hosted by Softlayer Technologies in Dallas, Texas, USA.

What’s the matter?

A security researcher at WizCase, Daniel Brown discovered an unprotected Elasticsearch database that contained voter information for over 14.3 million Chileans, which accounts for nearly 80% of the country's entire population.

What was exposed?

The leaky database contained names, gender, age, addresses, ID number, and RUT number or Rol Único Tributario number of 14,308,151 individuals including Chilean President Sebastián Piñera and former President Michelle Bachelet.

“This data can be extremely valuable if it falls into the wrong hands. The RUT (Rol Único Tributario) is a Tax ID number (it’s the same number as a RUN (Rol Único Nacional) which is a civil register ID number) and it is required for any financial moves such as:

• Buying a house
• Buying a car
• Opening a bank account
• Collecting loyalty points at a store
• Getting a telephone

Once the hacker has a person’s full name, address, tax ID and civil registry ID, it would be easy to target the person in a variety of financial fraud scams and identity theft,” the researcher explained in a blog.

The big picture

The researcher who discovered the database reported the issue to ZDNet in order to determine the nature and source of the database. ZDNet analyzed the database and confirmed the validity and accuracy of the data contained in the leaky database.

A spokesperson for Servicio Electoral de Chile (Servel) also confirmed the data's authenticity, however, they denied owning the database.

The owner of the exposed database still remains unknown, however, the researcher learned that the database is hosted by Softlayer Technologies in Dallas, Texas, USA, but they are not responsible for the leak. On July 31, 2019, the researcher contacted the hosting company but did not hear back from them.

Worth noting

It should be noted that the unsecured database is over two years old. A Servel spokesperson confirmed to ZDNet that the data contained in the server dates back to 2017.

Servel further confirmed that “access to critical service data is not given to external contractors.” However, Servel believes that the only possible way for the data leak might be someone scraping this information from the agency’s website and later storing it in this database.