Researchers say they have discovered a data breach revealing sensitive personal information such as bank balances and salary information, that may impact over 20 million people, including nearly the entire population of Ecuador.

A data breach involving a large amount of sensitive personally identifiable information on an unsecured network in Miami, Florida, may affect over 20 million people located in Ecuador, according to a research team at vpnMentor.

In an effort to provide some additional context regarding the scale of the leak, vpnMentor adds that the population of Ecuador is only 16 million people.

According to the report, the server in question appears to be owned by the Ecuadorian data analytics consulting company, Novaestrat, and the leaked database seems to contain information obtained from outside sources, which may include Ecuadorian government registries, an automotive association called Aeade, and an Ecuadorian national bank called Biess.

The researchers say they were able to identify individuals in the database by a ten-digit ID code, and in some cases, the code was called “cedula” and “cedula_ruc,” which in Ecuador, refers to a person’s national identification number, similar to a social security number in the United States.

The term “RUC” refers to Ecuador’s unique taxpayer registry, meaning that a person’s taxpayer identification number may also be included in the data breach.

Among the personal information discovered, vpnMentor says they were able to find the full name, gender, date of birth, place of birth, home address, email address, home, work, and cell phone numbers, marital status, date of marriage, date of death, and level of education of the identified individuals.

The researchers also say they discovered financial information regarding accounts held with the Ecuadorian national bank Biess, such as account status, current account balance, amount financed, credit type, as well as employer name, employer location, employer tax ID number, job title, salary information, job start date, and job end date.

But what vpnMentor said was most concerning of this particular data breach, was how their team was able to find detailed information about people’s family members, such as the full name of each person’s mother, father, and spouse, as well as each family member’s “cedula.”

In addition to personal information, the data breach revealed details regarding companies in Ecuador, as well as each company’s legal representative and their contact information.

The report added that leaked email addresses and phone numbers, combined with the breach of personal information, can make way for hackers to conduct more successful scams and phishing attacks, as the attack could be tailored to each person’s personal profile, making it more likely that they will click on the links.

“This data breach is particularly serious simply because of how much information was revealed about each individual,” affirms the report. “Scammers could use this information to establish trust and trick individuals into exposing more information.”

The researchers noted that a scammer, for example, could pretend to be a friend of a family member in need of financial help, and could back up their story and build trust using the personal information they obtained in the data breach.

“Most concerning, the leaked data seems to include national identification numbers and unique taxpayer numbers,” said the researchers. “This puts people at risk of identity theft and financial fraud.”

The vpnMentor research team describes itself as “ethical hackers” who search for vulnerabilities in a system indicating an open database. The report maintains that ethical hackers “never sell, store, or expose” the information they find. “Our goal is to improve the overall safety and security of the internet for everyone,” says vpnMentor.

“Once a data breach is found, our team links the database back to the owner,” the report adds. “We then contact the owner, inform them of the vulnerability, and suggest ways that the owner can make their system more secure.”

According to vpnMentor, the Ecuadorian data breach was closed on September 11, 2019.

You can follow Alana Mastrangelo on Twitter at @ARmastrangelo and on Instagram.