Citizen PII Exposure - WordPress REST API

Summary

Citizen personal data was publicly accessible without authentication across multiple WordPress comment datasets.

Citizens post IMEI numbers, cédula (national ID), phone numbers, and full names in public comments requesting IMEI unlocking and device registration.

Citizens post personal data in comments requesting social services (Bono de Desarrollo Humano, disability assistance, etc.).

Data Type	Total
Cédulas (national IDs)	691
Phone numbers	656
IMEI numbers	93
Email addresses	111
Citizen names	4,296
Cédula-name deanonymization pairs	765

Top Domains	Count
msp.gob.ec (Health Ministry)	142
espoch.edu.ec (ESPOCH University)	133
iess.gob.ec (Social Security)	67
arcotel.gob.ec (Telecom)	66
uta.edu.ec (Technical University)	38
cpccs.gob.ec (Citizens Participation)	25
bce.ec (Central Bank)	27
cfn.fin.ec (National Finance)	19
celec.gob.ec (State Electric)	9

Ecuador's national ID (cédula) is a 10-digit number used for ALL government services
Pairing cédulas with names enables identity theft and social engineering
IMEI numbers can be used to track mobile devices
All data is accessible via unauthenticated HTTP GET requests to WordPress REST API
Neither ARCOTEL nor Inclusion.gob.ec have disabled public comment access
The WordPress API returns comments with full author names by default

ARCOTEL meeting password published in WordPress post: wUZNtk8uj53
ECU911 internal IPs in post content: 10.121.6.234, 10.121.7.112, 192.168.1.232, 192.168.2.144