The leak that exposed 223 million CPFs and 40 million CNPJs is the subject of at least two investigations: Senacon (National Consumer Secretariat) confirms to the Tecnoblog who notified Serasa Experian to explain its possible involvement – the company denies being the source of the information. She will also be notified by Procon-SP.
Procon-SP notifies Serasa; ANPD does not speak
“Procon will notify Serasa Experian, in order to justify the reason for this data leak,” says executive director Fernando Capez. “Today, we can apply the LGPD and the sanctions provided for in the Consumer Protection Code. Procon, therefore, awaits a response from Serasa so that compatible penalties are applied. ”
CDC penalties reach up to R $ 10 million. Capez points out that the General Data Protection Law provides for heavier fines, up to R $ 50 million, but which only come into force in August this year.
O Tecnoblog contacted the ANPD (National Data Protection Authority), but received no response. The agency is responsible for investigating and fining companies and public entities that disrespect the LGPD in the future.
Federal prosecutors should investigate
MPF-SP (Federal Public Ministry in São Paulo) tells the Tecnoblog which has already received at least one representation regarding the leak of 220 million CPFs. In it, a citizen requests that the case be investigated. The registration is still being processed and will be distributed to a public prosecutor “for analysis and definition of the next steps”.
In turn, the MPDFT (Public Ministry of the Federal District and Territories) states that it is analyzing the case, but “for the time being it cannot comment”. Last year, the entity filed a public civil action for Serasa Experian to be prohibited from selling personal data such as CPF, address, telephone, location and purchasing power. An injunction forced the company to stop this service.
Senacon asks Serasa questions
The National Consumer Secretary, Juliana Oliveira Domingues, explains in a statement to the Tecnoblog that the agency has initiated a preliminary investigation procedure to “investigate the materiality and authorship of the alleged leak of data from around 220 million Brazilians”.
In addition, Senacon created a data protection nucleus to establish a direct relationship with the ANPD. Juliana says that this specific rapporteurship to deal with personal data “aims to address the large number of consumer complaints related to the misuse of personal data”.
Serasa Experian will have fifteen days to answer questions from Senacon, linked to the Ministry of Justice. These are the questions:
- Is it recognized that the data has been leaked from its bases or from operators that process data at its command?
- If so, how long was the data exposed for?
- If so, who had access to the data?
- If so, what data was accessed?
- If so, what measures have been taken to improve the security of the privacy of data subjects.
- In any event, the reported practice, in your business model, any service that involves the provision, supply or treatment of this data? If so, on what terms?
- Still considering the previous item, is there any relationship between this negotiation and the leak? Does the notified firmly rule out this possibility?
Case should be taken “to the last consequences”, says Idec
For Diogo Moyses, from Idec (Brazilian Institute for Consumer Protection), “this case can become a test of fire for the data protection ecosystem, not only the ANPD, but also the relationship with other consumer protection agencies and criminal investigation ”.
Diogo, who is the coordinator of the Telecoms and Digital Rights program at Idec, also tells the Tecnoblog: “Due to the importance of the case, the amplitude and the amount of data leaked, this is a case that must be taken to the last consequences”, under the risk of putting the data protection ecosystem in disrepute “even before being implemented as a whole ”.
Serasa denies being the source of the leak
In a note, Serasa claims to have carried out an in-depth investigation and denies being the source of the data. According to the company, the information “includes elements that we don’t even have in our systems”; moreover, she says that the data she does have does not match what was leaked.
This is the full statement:
There has been news in the media that a hacker is illegally offering data about Brazilian citizens on the web. Although the hacker claims that part of the data came from Serasa, based on our detailed analysis to this point, we conclude that Serasa is not the source. We also see no evidence that our systems have been compromised.
We conducted an in-depth investigation that indicates that there is no correspondence between the fields in the folders available on the web with the fields in our systems where Score Serasa is loaded, nor with Mosaic. In addition, the data we saw includes elements that we don’t even have in our systems and the data that they claim to be attributed to Serasa does not match the data in our files.
We conclude that this is an unfounded claim.
We continue to actively monitor the situation and contact the regulators to assist them with any questions they may have regarding this matter. We have a strong commitment to protecting the privacy of the personal data we process and believe that we have the necessary security systems in place for this.