After MTE failure, data for 9 million Brazilians are released for free | Antivirus and Security

On March 19, we reported a failure on an old website Ministry of Labour (MTE) that gave access to data of Brazilian citizens. The vulnerable site was taken down after the investigation Tecnoblog, but the damage was already done. At least that is what a file with 9 million records indicates that was found for download in a forum.

Brazilian flag (image: Cesar Fermino / Free Images)

Brazilian flag (image: Cesar Fermino / Free Images)

The problem was revealed to the Tecnoblog by a security expert who identifies himself as Andrey. He found that the address of the Youth Web, an old system that was maintained by the MTE, reported, without requiring authentication, the following data when a specific request was accompanied by a CPF number:

  • CPF;
  • Full name;
  • Date of birth;
  • Street;
  • House number;
  • Complement;
  • Neighborhood;
  • County;
  • State;
  • Mother’s name.

This week, Andrey contacted the Tecnoblog to warn that a database apparently extracted from the API used in Juventude Web was available for download in a forum. In fact, the records in the file match the fields in the MTE database.

Initially, the person responsible for capturing the data tried to sell the base on the same forum for $ 100, with payment being made by Bitcoin, Ethereum or another cryptocurrency.

On the page, he informed that the file was extracted from the Ministry of Labor (body that, in 2019, was converted into Secretariat of Labor of the Ministry of Economy) and made available for download a sample with 50 thousand records from the database.

Apparently, there were no interested parties. That’s because, days later, the complete database, about 1.3 GB in size, was placed for download in the same forum, but without the charge of US $ 100.

The complete archive contains more than 9 million records of individuals. This number does not correspond to the entire database, however. The CPFs that we tested last week to check for the flaw in Juventude Web, for example, do not appear in the file.

Base with data from 9 million Brazilians (image: Emerson Alecrim / Tecnoblog)

Base with data from 9 million Brazilians (image: Emerson Alecrim / Tecnoblog)

But that does not lessen the seriousness of the problem. According to Andrey, it is likely that the author used Python to exploit the faulty API, collect the information and store it in a database, which suggests that other attackers may have done the same procedure on different occasions.

Another aspect that reinforces this possibility is the fact that scripts that exploited the vulnerability were found by Andrey in online repositories.

Vulnerable site has been disabled

Questioned by Tecnoblog last week on the problem, the Secretariat for Public Policies for Employment of the Special Secretariat for Productivity, Employment and Competitiveness of the Ministry of Economy (SPPE / SEPEC / ME) reported that the vulnerable site was taken down shortly after the agency became aware of the problem.

In fact, Juventude Web is no longer online and therefore the database can no longer be accessed through the vulnerability.

The problem is that, since the problematic site has worked for a long time – the first version of Juventude Web goes back to 2009 – the chances of the flaw having been exploited for months or even years are not small.

We contacted SPPE / SEPEC / ME this Friday, but, until the publication of this text, no declaration had been provided by the entity.

LGPD for public agencies

The General Personal Data Protection Act (LGPD) is not only valid for companies in the private sector. Government agencies are also subject to sanctions for exposing personal information.

It is the function of the National Data Protection Authority (ANPD) to analyze each case and decide on the punishment. By default, public agencies are subject to administrative warnings and sanctions, while private companies can be fined up to 2% of annual revenue, limited to R $ 50 million.

However, punishments can only be applied from August 2021.

Leave a Comment