Vasco da Gama held an election for president of the team this month and, according to Tecnoblog revealed exclusively, the Eleja Online website used for the registration exposed data of the supporter members. The company responded by admitting the security breach, but claims that this was not a problem because the data was “in the public domain”.
To recap: it was possible to use a specific URL on the Eleja Online website, including the registration number, to obtain personal data from Vasco supporters. This included the full name, CPF, date of birth and category (general, estate, redeemed, benefactor redeemed, etc.). A security expert analyzed this flaw and was able to obtain 5,590 entries in less than two hours.
O Tecnoblog contacted Eleja Online on November 12 through two e-mail addresses, but received no response. Vasco’s press office also did not return our message. The next day, we published the story.
Shortly thereafter, a reader pointed out that the data of almost 8,500 fans was on Vasco’s own website, in a non-searchable PDF (the file gathers scanned images). The gap in the registration page allowed this information to be obtained in plain text.
Company admits security breach
In a note of pronouncement sent on November 19, Eleja Online states that its tool for the election of Vasco was a cadastral facilitator, but “this facility was unduly exploited to obtain data – even if these were in the public domain – from other voters ”. It ensures that attached documents, such as photos and proof of residence, have remained protected.
The company admitted the security breach, but it minimizes the problem by saying that the information exposed had already been published by Vasco in October: “therefore, there was no obligation on our part to keep this data confidential”.
In addition, Eleja Online mentions the LGPD (General Law for the Protection of Personal Data) to say that obtaining data is a crime, because access was made improperly and the information was disclosed, according to the company, “irresponsibly and with the simple intention of causing confusion in the electorate ”. She promises to take appropriate measures “in order to get these criminal (s) to answer legally for these attitudes”.
And the LGPD?
But what about the potential damage from having the data exposed? O Tecnoblog contacted Crialesse e Garcia Sociedade de Advogados, specialized in digital law, to better understand this situation.
They believe that, even if the data were made available by Vasco, the liability can be considered joint and several in the event of any damage to the data owners – in this case, the supporters.
“The controller or the operator of personal data can be held responsible and ordered to indemnify the damages that may have occurred due to the breach of data security when they fail to adopt the security measures provided for in the LGPD”, they explain.
In addition, one of the principles of LGPD is necessity: that is, the processing of personal data must be limited to the minimum necessary to carry out an activity. “In this case, was Vasco da Gama really necessary to provide the list with such data?”, Asks the law firm.
Another principle of the LGPD, of course, is security: the person responsible for personal data must adopt measures to protect against unauthorized access to prevent this information from being disclosed.
Choose Online Pronounce
Below is the full Eleja Online pronouncement note:
We have come to her to comment on a video that was shared on the networks, whose content is linked to the online election of the Club de Regatas Vasco da Gama, which was held last Saturday (11/14/2020).
Our official position is to reject the content presented. In the clumsy and manipulative demonstration, it was possible to perceive security flaws in our multiplatform system, which, in no time, comes against the reality of the facts.
The tool for election of the Club had been configured with a cadastral facilitator, who assisted the fan in filling out the pre-registration. What happened was that this facility was unduly exploited to obtain data – even if it was in the public domain – from other voters. We emphasize that all attached documentation such as photos, proof of residence and other attachments, remained protected by Eleja Online. This act of obtaining data is considered a crime, according to the General Data Protection Law, as the citizen who did it not only accessed information that they did not have ownership or authorization to do – within the guidelines of acceptable use of our system -, but also divulged them irresponsibly and with the simple intention of causing confusion in the electorate. We make it clear that we are taking the appropriate steps in order to get these criminal (s) to answer legally for these undue attitudes mentioned above.
This was yet another criminal action that we were victims of, along with other cyber attacks that occurred during the period the inscription was on the air, and which were mitigated by our security team. We also emphasize that all information collected by this illegal method was made available by our contractors – Clube Vasco – through publication on October 2, 2020 (as link »» »https://m.supervasco.com/noticias/vasco- publishes-the-final-list-of-voters2020-check-288975.html). Therefore, there was no obligation on our part to keep this data confidential since, as already mentioned, it was previously made public by the Supervasco website itself.
We emphasize that our relationship with the Club de Regatas Vasco da Gama remains strictly commercial, with its representative at the time, Mr. Faues Cherene Jassus, Mussa, by contract signed between both parties. For our company, regardless of the final result of the election, what mattered was its conduct in the most transparent manner and with all the smoothness that the occasion demanded.
Therefore, in addition to the years of experience and success in the market, we were also audited by more than one private auditing company, which were hired by the slates that disputed the election. Treating the action as commonplace in our environment – and necessary – we emphasize that we did not abstain from providing all the information necessary to prove the security and conformity of the electoral process.
Finally, regardless of the event, we thank you for the praise for the Eleja Online system from the fans who participated in what was the first digital democratic process of the Vasco de Gama Club.