The data is on the network: copy of documents, addresses, economic profile, occupation, face photos, family ties and so many other sensitive information available for anyone with malicious intent to get their hands on. What to do in the face of such a data leak? When it is not just about changing the password, attention must be doubled.
The most recent data leak: 223 million CPFs
The last known data leak is that of 223.74 million Brazilians (including deceased) that may have been compiled in August 2019. The source of the leak has not yet been identified, some evidence points to Serasa Experian, precisely compiled content.
The base is for sale in a forum, with payment made via bitcoin, and contains from basic data (name, CPF, email, address), to face photos, income tax information, family dependents, income and purchasing power of each person.
How to know if my data has been leaked
In particular for the above leak, the website I was leaked! indicates whether the CPF is in the database and what information is available about the individual. To Tecnoblog, the page developer says that he does not collect the query data. The tool also does not display the data itself, only “✅” and “❌” for the categories.
This is one site that does the search on an leaked database. We cannot guarantee that there are no others compiled with personal information over the internet, whether on the open network, the dark web or the deep web.
In case of email and password, the most common leaks, the Have I Been Pwned helps when searching the lists that are already public. Then, inform if they have already leaked or not.
What to do in case of data leak
When the email or password is exposed, the way is easier and less painful:
- For the password: change the combination to a more secure one and use a two-step verification method;
- For email: avoid opening links and attachments from unknown senders, pay extra attention to incoming messages.
In fact, redoubling attention is essential in case of leaks. Because once the data is exposed, public, it is almost impossible to get it off the internet. Therefore, scam attempts, which are already common, become even more elaborate, considering that the information scammers have about people is accurate, confusing the user during the approach.
The most common scams to keep an eye on
Several Internet scam practices are already known and still trick users on the network:
- Phishing: when the malicious person tries to obtain a person’s credentials by deceiving them, with social engineering and persuasion resources, posing as a company employee, a relative or someone close. That is why the name “phishing”, “fishing”;
- Spoofing: translates as “gotcha” and is very similar to phishing. It occurs when the scam artist impersonates the legitimate user who holds the information and tries to access accounts, servers, make purchases or steal the victim’s identities. This is what happens in cases of SIM swap.
- YES swap: when the scammer transfers a person’s number to another blank SIM card. He calls the operator posing as the victim, claiming that he lost access to the previous chip and requests the exchange. In the call, confirm the data to authenticate the identity and the attendant makes the transfer. It can also be done by criminals within the agency itself.
- Brushing scam: these are fake sales made via the internet. A store creates a fake profile with real consumer data (name and address), sends any object to the alleged customer (to validate the delivery) and then makes a positive evaluation of the purchase. Other legitimate customers are deceived by the fake reviews and buy on the website.
All of these practices have one element in common: information. Either to pass for a victim or to try to deceive it to obtain the data.
In the case of SIM swap, for example, after the moment when the scammer has access to the victim’s cell phone, he can try to recover his password from online accounts (email, social networks) or access WhatsApp to apply other scams: how the loan of friends and relatives.
How to protect yourself
Everyone is subject to the above practices and even if you are not in a leaked database, you can still be a victim. In information scams, the best defense is information itself: analyzing and distrusting any message, call or other form of contact received.
If the contact was made by email, the sender’s address must be carefully checked. Is it a known address? Doesn’t it have any strange characters? And what does the email ask, to install something or access a website? If the contact is not known or expected, the best action is to send it to the trash and mark it as spam.
Example, in a Google announcement, the email must come from [email protected]google.com, it is fraud when the email comes from [email protected]google.scroogle.com or something like that.
If the user has accessed a link and arrived at a website where he has an account or plans to create one, it is important to check the URL (the address) before entering any credentials.
On phone calls it is difficult to verify the identity of the other person on the line. The solution is to be suspicious if the employee asks for sensitive information (passwords, credit card number and security code). An alternative is to ask for the call protocol and then return the contact with the company (by an official number), informing the protocol to resume service.
It has already become mandatory to activate two-step verification on all services used on the internet and, whenever possible, with a unique code generator application. Once the data is exposed, attempting a password recovery with the leaked information can be a hacker’s first path to identity theft.
Undue transactions and registrations
Using the credit card app or enabling SMS notifications is a good way to keep an eye on transactions made. Therefore, as soon as an inauthentic purchase is made, contact the institution that issued the plastic to report the fraud.
Tip: Buying in online stores with the virtual card is more recommended, due to the ease of exclusion and avoid being in other leaks.
The Cadastro Pré website (cadastrpre.com.br) allows the customer to check which operators he has an active phone line on, just by entering his CPF. Unfortunately, it does not show “how many” numbers are active and does not include virtual operators, only Algar, Claro, Oi, Sercomtel, TIM and Vivo phones. However, any help is welcome.
What about LGPD, can I do something?
According to digital law expert Adriano Mendes, it is up to the National Data Protection Authority (the body responsible for the LGPD), Procon, the National Consumer Secretariat and the Public Ministry to investigate leaks and punish those responsible.
As an individual, Mendes explained to the Tecnoblog that there are no specific procedures to be performed, unless there are concrete damages, real losses (for example, by opening credit lines or debts in the victim’s name). In this case, there is an indemnity for moral damages.
At Tecnocast 177 – The big data leak, Rafael Zanatta, director of the Data Privacy Brasil Association, says that it is not the responsibility of each person to subscribe to monitoring services or despair, but to be aware of future scams.
What we have to expect as individuals is a collective response to this problem – structuring a platform where I can ask “is my CPF there?”, Is something that the responsible company itself or ultimately the government, must structure. Then, use these resources to promote a type of support, including tips on how to identify identity fraud, how to protect yourself better.
With information: Kaspersky.