Banco Pan, controlled by BTG Pactual, suffered a customer data leak in the early hours of Friday (15). After reports on social networks about a possible breach, the company itself confirmed the detection of a weakness in a supplier’s platform, used by the call center linked to users’ cards. The institution did not disclose how many people were affected, but a document reveals 64,000 exposed holders.
So far, Banco Pan has notified the software provider that it was the source of the data leak for the “immediate correction of the vulnerability”. In a note to the newspaper technoblogthe company cites that it hired a “specialized and independent expert to carry out a complete analysis” of the incident.
Although there is no official version of the number of affected customers, the website Tecmundo received a document from an anonymous source that reveals 64,000 holders linked to the bank who had their data leaked. According to the report, Banco Pan would be suffering an extortion attempt so that the information is not disclosed on the internet.
The anonymous tip cites that 22 million accounts were compromised. Banco Pan countered, saying that this estimate is false. Among the leaked data are CPF, date of birth, residential address, account number, credit card information, bank balance and invoice value.
Despite the security breach, Banco Pan points out that there was no compromise of customers’ current accounts, or invasion of the company’s infrastructure and systems, and that credit card data and passwords were not completely leaked – something that would put users in risk.
“We reinforce that information security is our priority and all competent authorities have been notified”, concluded Banco Pan in a statement.
Invasion gave access to emails from Banco Pan
According to Tecmundo, the attacker gained improper access to customer data by taking advantage of a security hole in the email accounts used to process user data, including registering new accounts. After listing all these addresses, the hacker attacked the passwords and obtained the personal information.
From one of a script to extract customer data, the hacker claims that information was obtained on 22 million users of Banco Pan.
For the time being, Banco Pan has not communicated to its shareholders on the Investor Relations page about the incident, as Mercado Livre did when it suffered a leak in March, or Americanas SA when it was attacked by hackers. The financial institution also did not inform the CVM about the security breach.
Check out the full Banco Pan note:
“We recently detected a weakness in the platform of a technology provider, used in the Customer Service Center in the card segment. We activate our security protocols, notify the software company for immediate correction of the vulnerability and hire independent expert consulting for a complete analysis.
According to the investigation in progress, it was already possible to verify that there was no current account compromise, system unavailability, or invasion of the Bank’s infrastructure, having been confirmed, however, that the exploitation of the vulnerability allowed the unauthorized copying of data registration, available limit and debit balance, without having exposed complete card data, passwords or any data that incurs a direct financial risk for the customer and the bank.
We reinforce that information security is our priority and all relevant authorities have been notified.”