We speak here about a data leak that exposed 220 million Brazilians (including deceased) and 40 million CNPJs. It came with a third database being distributed for free on the internet: Tecnoblog, the file provides information on more than 100 million vehicles in Brazil, including make, model, chassis and license plate number – both in the new and the old standard.
Leak reveals data on 104 million vehicles
The 23 GB file has data on exactly 104,193,161 cars, motorbikes and other types of vehicles. It would have been compiled in August 2020 and was circulating in forums on the open internet, with a link indexed by Google search and free download.
It was possible to confirm that the base contains correct information on license plates for ten different cars, including make, model and color; this strongly indicates that the leak is real. It is something of concern because, according to Denatran, there were 107,948,371 vehicles registered in December 2020 – almost the total number of vehicles whose data was exposed on the internet.
The origin of this leak is not known. Unlike cases involving 220 million CPFs and 40 million CNPJs, there is nothing directly related to Serasa Experian. (It is worth remembering that the company denies being the source of these two other leaks.)
Leak risks with vehicle data
This database does not reveal who owns each vehicle: that is, there are no driver’s license numbers (CNH) or CPF numbers. Nor does the number of Renavam (National Registry of Motor Vehicles) appear. Still, this can pose a risk to owners.
Lawyer Luiz Augusto D’Urso, a specialist in digital law, explains to the Tecnoblog that vehicle data can be used for various types of offenses, including cloning chassis, cloning car documents and sending false fines to the vehicle owner.
This would serve even for attempts to break into WhatsApp accounts: “criminals call the victim with such data and impersonate the dealership, and due to guarantees and reviews, they can try to get the victim’s WhatsApp access code”, says D’Urso, who is also President of the National Cybercrime Commission of ABRACRIM (Brazilian Association of Criminal Lawyers).
The source of this leak is unknown but, if found, it can be held responsible under the LGPD (General Law for the Protection of Personal Data). A data that allows identifying someone is also personal data, says the lawyer: “therefore, depending on the vehicle information, even if it is not directly linked to someone, it can be considered personal data and the company could be held responsible for the leak, as it can identify the owner indirectly ”.
More giant leaks of this type can still happen. DataBreaches.net, which helped Tecnoblog investigating this case, he notes that “researchers have quietly found and murmured about huge databases with medical and personal information of Brazilians for over a year”. Many of these files would be in the hands of people or companies that have not yet released their findings.
What was exposed in the leak of 104 million
These are the categories of data revealed in the leak on 104 million vehicles:
- ID (internal database number)
- kind of person (physical or legal)
- update date (varies from 1993 to 2020)
- board (in old or new format)
- municipality and UF of the board
- vehicle situation
- restrictions (without restriction, restricted by theft, pledge, fiduciary alienation, etc.)
- chassis number
- chassis situation (normal, restricted)
- engine number
- gearbox number (if applicable)
- body number (if applicable)
- body type (open, closed, jeep, van, double cab, motorcycle etc.)
- invoiced document type
- Billed UF
- “Billed” (contains sequence of numbers related to the invoiced document, such as invoice)
- brand and model (there are 37 thousand different models)
- model year
- year of manufacture
- vehicle color
- vehicle type (bicycle, moped, scooter, motorcycle, automobile, bus, truck, etc.)
- kind of vehicle (passenger, cargo, mixed, traction, collection etc.)
- fuel (gasoline, alcohol, diesel, natural gas, electric, etc.)
- power (in HP)
- maximum traction capacity
- total gross weight
- battery capacity
- number of passengers
- number of axes
- nationality (domestic or imported)
- DI (Import declaration)
- importer’s identity
- type of document of the importer