THE ANPD (National Data Protection Authority) spoke on Wednesday (27) about the leak that affected 223 million CPFs and 40 million CNPJs. The entity, created to fulfill the LGPD (General Law for the Protection of Personal Data) and to apply punishments to those who expose personal data, claims to be carrying out an investigation into it.
In a statement to the Tecnoblog, the ANPD says it is technically investigating information on the case, and will cooperate with the competent investigative bodies to find out:
- the source of the leak;
- the form in which it occurred;
- the containment and mitigation measures adopted in a contingency plan;
- the possible consequences and damage caused by the breach.
That done, the ANPD will suggest the appropriate measures foreseen in the LGPD for “the accountability and punishment of those involved”, together with the other competent bodies.
The data protection law provides for several types of punishment, from a warning to a fine of 2% of the company’s annual revenue, limited to R $ 50 million. It is worth remembering, however, that the ANPD does not yet have the power to fine: this will only be possible as of August 2021.
Several media outlets, including the Tecnoblog, Estadão, Exam and El País, had contacted the ANPD since at least last Monday, but the entity did not respond.
Senacon and Procon-SP notify Serasa
The CPF leak, the details of which were revealed exclusively by the Tecnoblog, includes face photo, address, telephone, e-mail, credit score, salary, social class and several other information from 37 different categories. A sample of this file was offered for free on forums on the open internet and the dark web. In addition, a database with 40 million CNPJs included data such as credit scores, debts and a list of partners.
As there was information related to Serasa Experian in both leaks, the company was notified by Senacon (National Consumer Secretariat) and Procon-SP to provide clarification. She has said several times that it is not the source of the data, and said she is “in contact with the regulators to assist them with any queries”.
In positioning, Serasa says:
We conducted an in-depth investigation that indicates that there is no correspondence between the fields in the folders available on the web with the fields in our systems where Score Serasa is loaded, nor with Mosaic. In addition, the data we saw includes elements that we don’t even have in our systems and the data that they claim to be attributed to Serasa does not match the data in our files.
This case is also being analyzed by the MPDFT (Public Ministry of the Federal District and Territories); while the MPF-SP (Federal Public Ministry in São Paulo) confirms that it has received representation on the matter, which will be distributed to an attorney shortly.
Case should be taken “to the last consequences”, says Idec
For Diogo Moyses, from Idec (Brazilian Institute for Consumer Protection), “this case can become a test of fire for the data protection ecosystem, not only the ANPD, but also the relationship with other consumer protection agencies and criminal investigation ”.
Diogo, who is the coordinator of the Telecoms and Digital Rights program at Idec, also tells the Tecnoblog: “Due to the importance of the case, the amplitude and the amount of data leaked, this is a case that must be taken to the last consequences”, under the risk of putting the data protection ecosystem in disrepute “even before being implemented as a whole ”.