A significant data leak has exposed the sensitive information of over 10 million Chileans, which represents more than half of the country’s population. Cybernews researchers discovered the breach at Caja Los Andes, Chile’s largest pension and social security fund, on July 4. Founded in 1953, Caja Los Andes is the largest Family Allowance Compensation Fund (CCAF) in Chile, offering health insurance, pension funds, loans, and mortgages. With around 3,000 employees and approximately 100 billion Chilean Pesos in equity, the organization’s failure to secure its data poses a severe risk to its clients.
The breach resulted from a misconfiguration of Caja Los Andes’ Apache Cassandra database, which lacked proper authentication, leaving the private data of citizens accessible online. The leaked information includes names, home addresses, dates of birth, phone numbers, credit amounts, payment locations, and credit usage details. Alarmingly, the dataset affects over twice the number of people who were reported as members of the fund in 2023, suggesting that the leak encompasses family members, former clients, or even deceased individuals.
The implications of such a substantial leak are concerning, as millions of affected clients now face heightened risks of identity theft and fraud. The combination of leaked home addresses and financial details could make individuals vulnerable to targeted robberies or physical threats. Additionally, the presence of personal identifiable information (PII) like email addresses makes this dataset particularly valuable for phishing attacks and other scams, potentially leading to significant financial exploitation.
In response to the leak, Cybernews reached out to Caja Los Andes, which denied the occurrence of any data breach and stated that no contingencies had been recorded. The organization emphasized its ongoing efforts to protect member data and vowed to strengthen its cybersecurity measures while investigating the alleged leak. This incident not only jeopardizes the personal information of countless individuals but also risks reputational damage to Caja Los Andes. According to Chile’s data protection laws, the organization could face severe penalties, including fines of up to 4% of its annual income and possible lawsuits from affected individuals.
Reference: