Serasa Experian is being sued by Instituto SIGILO due to the exposure of data on 223 million CPFs and 40 million CNPJs. The public civil action, which also includes the ANPD (National Data Protection Authority) as a defendant, wants the company to pay a fine of R $ 200 million and an indemnity of R $ 15 thousand for each holder affected by the leak.
From the beginning, Serasa denies being the source of the mega leak. But Victor Hugo Pereira Gonçalves, founder and president of the SIGILO Institute, accuses the company of selling its database, and understands that for this reason it shares the responsibility if the leak occurred in one of its partners.
“Whether it leaked from inside or outside [da Serasa], is an irrelevant issue, ”says Victor in an interview with Tecnoblog. “The data controller is responsible before, during and after; Serasa’s responsibility if the data is not erased after use. ”
According to Victor, who specializes in digital law, the ANPD is a defendant in this lawsuit because the degree of Serasa’s involvement in the leak is not yet known. Thus, all material produced by the authority during the investigation “has to be brought in court”.
SIGILO was created in 2018 as a non-profit association dedicated to the protection of personal data. The institute has already filed lawsuits against other companies, most of them in the second half of 2020, which are still in the process of being served.
Serasa denies being the source of the leak
In a statement, Serasa says: “we understand that the filing of the lawsuit is hasty, and we will present the defense within the legal term”. Since last month, she has been conducting an investigation into data offered illegally for sale on the Internet.
The company reiterates that “so far there is no evidence that data has been obtained illegally from Serasa”, and that there is no evidence that its systems have been compromised.
“There is data available even that Serasa does not even have, such as photos, INSS records, vehicle records and login information on social media”, states the position.
Process wants a fine of at least R $ 200 million
The initial petition, to which we had access, mentions the report of the Tecnoblog who uniquely revealed details about the leak. There are 37 folders in the preview offered by the hacker, including information on credit scores and other products sold by Serasa, such as Mosaic and affinity and propensity models.
“The defendant Serasa, even though she claims that her treatment environments did not cause the incident under examination, given the context of the leaked data, it is evident that it is data obtained from services that she offers in a unique and indistinct way”, says the judicial process .
“In any scenario, the defendant Serasa Experian responds objectively for the leaked data, because, directly or indirectly, she applied for illegality and did not apply the best practices in the development of her services”, defends the action.
In this sense, the Sigilo Institute makes several demands on Serasa:
- payment of collective moral damages of at least R $ 200 million, which would be reverted to the FDD (Fund for the Defense of Diffuse Rights);
- payment of R $ 15 thousand for each data subject, as compensation for moral damages;
- sending a letter with acknowledgment of receipt (AR) to all holders whose data have been exposed, under penalty of a daily fine of R $ 10,000;
- disclosure on social networks and other forms of communication about security incidents that have occurred and plans to address possible risks;
- obligation to apply technical and technological measures necessary to remove leaked data from the internet.
Action wants ANPD to audit
As for the ANPD, the process states: “from the moment that it establishes and binds to the Presidency of the Republic a body that has the fundamental task of monitoring the LGPD, there is no way to conceive that this same entity remains inoperative in the face of a violation without precedent to legislation ”.
Therefore, the lawsuit asks the ANPD to notify Serasa; perform a technical audit “to verify the disastrous security breach under examination”; and take the necessary administrative measures to investigate “illegal acts perhaps committed by the Authority”.
ACP (public civil action) has number 5002936-86.2021.4.03.6100 and runs at the 22nd Federal Civil Court of São Paulo. It was opened directly in the Federal Court for placing the ANPD, linked to the Presidency of the Republic, as a defendant.