Records about 220 million Brazilians are likely to have fallen into the hands of criminals. Extensive databases have leaked. This includes full names, dates of birth and tax numbers (CPF). CPF play an important role in everyday life in Brazil.
The Brazilian has the hack Cybersecurity Laboratory PSafe Uncovered. Information about companies and authorities is also affected. The amount of data stolen must also include records of the deceased, as Brazil currently has around 212 million inhabitants.
In addition to the personal data, information about more than 104 million vehicles is included, including chassis number, license plate number, registration area, color, make, model, year of manufacture, engine capacity and fuel type. All of this data would be for sale online.
Seresa Experian denies this
How the data was captured is so far in the dark. The daily newspaper Estadão from the economic metropolis of São Paulo considers it likely that it is a database of the credit rating company Seresa Experian. It is the Brazilian counterpart to the German Schufa and the North American credit bureaus Equifax, Transunion and Experian. Seresa Experian is a subsidiary of Experians.
Seresa Experian assesses the creditworthiness of consumers and entrepreneurs. Journalists des Estadão reports in the Monday edition that they had access to part of the data; the credit rating agency was mentioned there. One of the databases belongs to the Serasa service Mosaic. The company denies this and promises to investigate the case.
Biggest data leak in the history of Brazil
“As far as we are currently informed, it is the biggest and most dangerous data leak in the history of Brazil,” said lawyer and data protection expert Bruno Bioni from the non-profit organization Data Privacy Brasil to the Estadão. Bioni compares the case to the hacking jackpot in the US when the Credit Bureau Equifax was hacked. Data from 145 million people were captured there in 2017.
Emilio Simoni, director of PSafe owner dfndr lab, sees considerable risk potential for consumers: “This data can easily be used for phishing. Once the cybercriminal has the CPF and other actual data of the person, it would be easy to (…) more critical ones To obtain the victim’s data, which could be used, for example, to apply for credit, bank passwords and to order services. ”
Data protection law comes too late
The case only came to light when the perpetrators offered to sell: “The cyber criminals make part of the databases available to prove the truthfulness of the information they have obtained. They want to make a profit by collecting more detailed data such as e-mails, telephones, Sell purchasing power data and professions of the persons concerned, “says Simoni.
The data leak is likely to be the first major challenge facing the Brazilian data protection authority ANPD. A new data protection law provides for severe penalties in cases like this, but it won’t come into force until August. Therefore, Bioni asks the consumer protection center Senacon to intervene now.