This week there was news of a leak that exposed the CPF of more than 220 million Brazilians. O Tecnoblog found that the case is more serious: this set of personal data, offered for free on an internet forum, is associated with an even larger base that includes face photo, address, phone, email, credit score, salary, income and more. The file appears to be associated with Serasa Experian, but the company denies being the source.
Two data leaks
Here we have two distinct but related cases. O first leak includes only full name, CPF, date of birth and gender: it is available for free download in a forum well known for disseminating this type of information.
The 14 GB file has data from 223.74 million different CPFs, and it was apparently compiled in August 2019. It is available on the open internet, not on the dark web: the link has even been indexed by Google search. The number of people affected is greater than the Brazilian population because the database also includes the deceased.
In turn, the second leak brings information from the same 223.74 million people and would also have been compiled in August 2019. It was released by the same user on the forum, and includes the CPFs in the same order, as shown in the image below:
In this case, only the preview is available for free: whoever wants the complete package has to spend money. Prices range from $ 0.075 to $ 1 per CPF, depending on the quantity purchased. Payment is made in bitcoin only.
In total, there are 37 bases that include all types of personal data, including ID, marital status, list of relatives, complete address (with latitude and longitude), level of education, salary, income, purchasing power, status in the IRS and INSS , among many others.
Leak came from Serasa Experian?
The biggest leak is titled “Serasa Experian”, and there is some evidence that these data are related to the company:
- one of the bases brings data from Mosaic, Serasa Experian service that classifies consumers into 11 groups and 40 segments, in order to make targeted advertisements and prospect customers;
- two other databases have information on affinity and propensity models, something that is also offered by Serasa, the chance that a person has to buy a certain product or service such as insurance, private pension, credit card, games, travel, luxury items, among others;
- there is still a list of credit scores, a product for which Serasa is best known.
In a statement to the Tecnoblog, Serasa Experian says: “we are aware of third party claims about data made available on the dark web; we conducted an investigation and at the moment we see nothing to indicate that Serasa is the source ”.
And the LGPD?
The LGPD (General Law for the Protection of Personal Data), which has been in effect since September 2020, provides for sanctions ranging from a warning to a 2% fine on annual revenues up to a maximum of R $ 50 million.
However, the punishments should only be applied as of August 2021. This will be the responsibility of the ANPD (National Data Protection Authority), which is still defining its main technical positions.
What was exposed in the 220 million spill
O Tecnoblog relied on the help of DataBreaches.net to find out the details of this data set, which has been on the internet since last week.
We have gathered below the main information contained in the largest leak:
- basic: name, CPF, gender, date of birth, father’s name, mother’s name
- marital status (married, single, divorced, widowed, others)
- family bond: categorizes people according to a first degree (mother, father, son, daughter, brother, sister, spouse) or second degree (grandfather, grandson, uncle, nephew, cousin, etc.)
- telephone: Area code, number, operator, plan, line type (fixed, prepaid, postpaid), installation date
- Address: street address, number, neighborhood, city, state, zip code, type (residential / commercial), latitude and longitude
- households: CPF of householder, number of persons, income bracket, full address
- schooling: level (illiterate / elementary / technical / higher etc.)
- College students: 1,643,105 people with college name, course, year of entry and year of completion
- occupation: position, number CBO (Brazilian Classification of Occupations)
- job: CNPJ and corporate name of the employer, PIS / PASEP / NIT number, CTPS number, type of employment (CLT, self-employed, server, apprentice etc.), date of admission, salary, hours of work per week
- salary: value, type (monthly, biweekly, weekly, etc.), hours per week
- income: monthly amount (includes salary, rent, interest, etc.), social class (low, medium, high), income range
- social class (A1, A2, B1, B2, C1, C2, D, E)
- purchasing power: level (low, medium, high), income, salary
- Family Allowance: amount, status of benefit (released / blocked), status of benefit (active / inactive), number and name of dependents, NIS (Social Identification Number)
- voter title: registration number, zone, section, address, county, state
- FGTS: PIS number
- CNS (National Health Card)
- NIS (Social Identification Number)
- PIS / PASEP
- INSS: insured’s name, benefit number, start date, type (retirement, pension, maternity salary, etc.)
- IRPF (income tax): bank institution name, branch code, refund lot
- IRS: cadastral situation (regular / suspended / canceled / deceased holder)
- credit score: credit activity, risk score, risk level (low / medium / high)
- Debtors: name, type of debtor (principal, co-responsible), situation (active, in collection, filed), type of debt (fine, income tax, PIS etc.), amount, did it end up in court? (Yes No)
- bad checks: bank code and branch, reason (no funds / account closed)
- Mosaic: targeting group and subgroup
- affinity: accuracy level, percentile
- analytical model: predicts chance of consumer having affinity to buy a product or service
- pictures of faces: 1,176,157 JPEG images with dates between 2012 and 2020; the file name is the CPF of the corresponding person
- LinkedIn: 5,051,553 social network profiles with ID number and access URL
- business: name of the partner of a company, participation (shares and%), corporate name and trade name of the company, CNPJ, date of entry into the company
- public servants: job description, capacity, exercise, gross income, status, bond, removal (yes / no)
- advices: 2,260,960 people who provide consultancy in the public or private sphere, including situation, specialty and occupation code
- Deaths: date of death, age, date of death certificate, name and address of the registry office