All about the data leak of 223 million Brazilians

On the 19th, the massive leak of a national database exposed confidential information from 223 million Brazilians, as revealed by the cybersecurity company PSafe’s dfndr lab.

Pointed as the biggest data leak in the history of Brazil, the case scared many people, due to the amount of information that was exposed, facilitating the application of scams and fraud.

The leak included CPFs of deceased people.Source: Federal Government / Disclosure

Thinking to clarify some doubts, we have gathered in this text everything we know about the data leak so far.

What data was leaked?

Initially, a leak of 223 million CPFs was reported, including name, sex, date of birth and other information. Subsequently, the company announced a second undue disclosure, this time much more complete.

In addition to the data mentioned above, the two exhibitions revealed:

  • Adresses
  • Telephone numbers
  • Vehicle data (license plate, chassis number, etc.)
  • Information on CNPJs (corporate name, trade name and date of foundation)
  • Income Tax Details
  • Face Photos
  • INSS benefits
  • Information from public servants
  • Education
  • LinkedIn Signups
  • Financial data (credit score, bad checks and income, among others)

Where were they taken from and how?

For now, there is only suspicion as to where that data would have been stolen. One of the possibilities pointed out is that the information belonged to Serasa Experian, but the company denied that its system had been invaded.

There is also a chance that the gigantic database was formed, gathering information from previous leaks, including improper access to the systems of companies and public agencies.

Due to the lack of details about the origin of the data, it is not yet known how the hacker (s) acted.

And those responsible for the action?

According to the company that identified the leak, the bases were posted by a cybercriminal on an online forum. In addition to the free CPF list, he sold the most complete information package.

Financial information was also exposed.Financial information was also exposed.Source: Freepik

The number of leaked CPFs is greater than that of inhabitants. Because?

According to the IBGE, Brazil currently has an estimated population of 212.6 million. The amount of data leaked indicated the exposure of the documents of 223 million people.

The explanation for this difference is simple: data on deceased persons has been included.

What are the risks to the population?

Various types of scams can be applied to stolen data. Committing crimes posing as someone else, opening a bank account, making an undue withdrawal from the Severance Pay Fund (FGTS) and signing up for social programs using false documents are some of the possibilities.

Criminals can also use the data to make false charges, for example, posing as banks, finance companies, service providers and even the government.

What could I have done to protect my information?

With regard to this mega leak, the affected people could not do anything to prevent it, since the responsibility to protect data lies with the recipient (companies, government, social networks, etc.).

But you can mitigate the risks by taking care to avoid reporting personal data to untrusted sites.

In actions like this, the Internet user has nothing to do to protect himself.In actions like this, the Internet user has nothing to do to protect himself.Source: Freepik

Is there any way to know if my data has been leaked?

Yes! The developer Allan Fernando created a website called Fui Vazado for anyone to enter their CPF and date of birth to check if their information was disclosed on the web through the mega leak.

How does the LGPD fit in this case?

In force since 2019, the General Data Protection Law (LGPD) was created with the aim of increasing the security of data collected on the internet, requiring the guarantee of their integrity, including more basic information.

The legislation provides for penalties such as a warning and a fine of 2% of the company’s annual revenue involved in leaks such as this, limited to R $ 50 million. However, sanctions can only be applied from August this year.

Leave a Comment