Data of more than half of Chile’s population exposed in massive leak


Caja Los Andes, Chile’s largest pension and social security fund, has exposed the sensitive data of half of the country’s population, Cybernews researchers have found.

On July 4th, the Cybernews research team discovered a massive data leak at Caja Los Andes, which affected 10 million Chileans. Such staggering numbers constitute more than half of the country’s population.

Founded in 1953, Caja Los Andes is the largest Family Allowance Compensation Fund (CCAF) in Chile. It provides citizens with health insurance, pension funds, loans, and mortgages. The company employs nearly 3,000 employees and has approximately 100 billion Chilean Pesos, or $1 billion, in equity.

ADVERTISEMENT

A leak of this scale is a huge cause of concern, as it affects a large part of the country. CCAF funds in Chile are part of the Social Security system, providing crucial financial services to citizens.

The leak occurred because the organization's Apache Cassandra database lacked authentication. The database stored the private data of citizens who used the fund's services, and the unfortunate misconfiguration left all of it available to anyone on the internet.

Leaked private data included:

  • Names and surnames
  • Home addresses
  • Dates of birth
  • Phone numbers
  • Credit amounts
  • Places where payments were made
  • Credit usage details

Although the fund reportedly had over four million members in 2023, the leaked dataset contains data on more than twice that amount.

“This suggests that the leaked database likely includes family members, individuals who have switched providers, or those who may have passed away,” explains the Cybernews research team.

Alarmingly, millions of the fund’s clients are at risk of identity theft, with their personal information potentially being exploited for fraud, targeted scams, and phishing attacks.

persones_data_4
Names and phone numbers of 10 Million people.
ADVERTISEMENT

“Leaked home addresses and financial details coupled in one leak make these people vulnerable to targeted robberies or physical threats,” said Cybernews researchers.

“What’s more, they could become prime targets for scams and financial exploitation even without direct physical threats as there are plenty more PII, such as email addresses, that make this dataset a valuable target for phishing operations.”

persones_data
Last names and home addresses of 10m people.

Apart from threatening the fund’s clients, such a data leak poses serious reputational damage risks to the organization. According to Chile's data protection laws, the company responsible for leaking personal data could be subject to severe penalties, including fines that could reach up to 4% of its annual income and potentially large-scale lawsuits from affected individuals​.

Cybernews contacted Cajas Los Andes, and the leaking instance has been closed. In an official statement, the company denied the information regarding a leak.

“Caja Los Andes makes constant efforts to guarantee the protection of our members' data protection of our members' data. To date, no contingencies have been recorded,” said the organization’s spokesperson in a written statement.

“We will continue working to strengthen our cybersecurity standards and investigating, together with our internal and external teams, the possible origin of the alleged information,” added the spokesperson.

sucursales
Branch locations.

This is not the first time that civil data has been leaked at a massive scale in South America. At the beginning of 2024, Cybernews reported on a massive data leak that affected the entire population of Brazil.

Unprotected access to a cloud server resulted in the leak of full names, dates of birth, sex, and Cadastro de Pessoas Físicas (CPF) numbers, putting the citizens of the largest nation on the continent at risk of identity theft, fraud, and targeted cybercrimes.

ADVERTISEMENT

Updated on August 20th with a statement from Caja Los Andes.