Almost the entire population of Brazil is now at risk of what could be the largest ever breach in history.
On January 19, 2021, it was discovered that the private data of over 220 million Brazilian citizens was leaked. The source of the leak is currently unknown.
Unfortunately, this is not the first time Brazil has come under fire for a large data breach. A significant leak of COVID-19 patients’ details earlier in 2020, due to weak encoded credentials in the source code of the Brazilian Health Ministry website, exposed personal data for over six months. Medical records are one of the most sensitive categories of personal data, and the leak exposed both living and deceased Brazilians’ medical records to possible unauthorized access.
The latest breach contained detailed information on 40 million companies and 104 million vehicles. The breach is said to have leaked personal ID numbers (CPF), dates of birth, and full names of nearly all the Brazilian population. The data also included Brazilian company identification numbers (CNPJ), corporate name, trade name and date of foundation of companies. It also included chassis number, license plate, colour, make, model, year of manufacture, engine number, fuel type and ownership location of vehicles. In total, the leak poses a risk to over 220 million Brazilians, effects companies and government agencies.
To cybercriminals, the combination of personal data and vehicle data is a very valuable asset for resale on the dark web. The personal data is useful for profiling people for many types of fraud activity, and the vehicle data can be useful for vehicle cloning.
Claiming to be from outside of Brazil, the criminal is selling the data on forums in small batches of 1,000 records each, for approximately $100 of bitcoins per batch.
Unfortunate for Brazil, it is becoming more and more commonplace to read about large data breaches in the press. Back in 2019 it was reported that a criminal was attempting to auction an illegal database containing personal information of 92 million Brazilian citizens. Registered as X4Crow, the criminal was not only selling the data, but offering a search service to retrieve detailed information on Brazilian citizens. This is also at a time where IT managers in Brazil are reporting insufficient budgets for cybersecurity, raising concerns around the continual security of personal and operational data for Brazilian organisations.
In August 2018, Brazil passed a comprehensive data privacy law called the General Data Protection Law (the Lei Geral de Proteção de Dados Pessoais, LGPD). Since the enactment of the LGPD, businesses and organisations doing business in Brazil have been ramping up and preparing for the implementation of the law.
However, the implementation time frame of the LGPD was hampered as a result of the COVID-19 pandemic and organisations being ready. Regardless, continued large scale breaches demonstrate the need for increased enforcement and improvement in data security in Brazil.
If you are concerned about your organisations security, get in contact to discover how our Security Operations Centre can protect your endpoints, proactively monitor your network, and proactively hunt vulnerabilities. If you are concerned about the maturity of your general controls, get in contact to start a Data Privacy and IT Service Maturity review.