Vida Celular

All about the best cell phones

Last Thursday (28/01), the Procon The São Paulo State Police Department sent a letter to the State Civil Police Department requesting an investigation into the leak of data from approximately 220 million Brazilians. There are suspicions that the information was extracted from Serasa Experian, but the company denies this. The case will be forwarded to the Cybercrimes Division of the police agency.

Two weeks ago, files containing the name, CPF, date of birth, photograph, salary and other information of Brazilian citizens were found on the internet. The discovery was made by dfndr lab, a laboratory specialized in digital security from the startup PSafe, which reported the case to Estadão. The files were in the Dark Web, a sector of the internet not indexed by search engines like Google or others, and thus, prone to illegal activities.

On Monday (25/01), after news of the information leak, the National Consumer Secretariat (Senacon) notified Serasa demanding explanations. The company will have 15 days to respond whether it acknowledges the leak occurred in its database or that of its partners, how long the data was exposed, who had access to this information and, if it is from its database, what was done to resolve it. As already mentioned, Serasa denies being the source of the leak.

Case extension

Files containing important data on Brazilian citizens were found on Dark Web forums. They were divided into parts, one of which was more complete, and were sold by criminals. Some of these files ended up on the Internet and could be accessed by anyone with the download link.

Information numbers can be frightening and confusing, after all, leak contains data from approximately 220 million CPFs, which exceeds the estimated 212 million inhabitants of the country. This is because the files also contained data on people who had already died. In addition, there are CNPJ numbers linked to CPFs and which contribute to the volume of leaked data.

Some of the leaked information was public and can be found on official government websites. However, much of it could only be accessed through company registrations. One of the spreadsheets that make up the leaked files lists the source of the information, and among them is Serasa.

If Serasa's liability in the case is confirmed, the Consumer Protection Code provides for a penalty of up to R$10 million. General Law of Data Protection (LGPD) is even more incisive, assessing punishment of up to R$50 million, but it can only be applied in August of this year.

Be careful

It is not yet possible to assess the extent of the damage caused by this leak. This may only be possible with the results of the investigation that should begin to be carried out by the Cybercrimes Division of the Civil Police of São Paulo. However, it is good to take some precautions regarding the matter.

There are already websites claiming that users can perform a search to find out if their data has been leaked, and to do so they ask you to enter your details. This is something that we don't recommend, since you may be handing over (or confirming) your information to someone you don't know.

Furthermore, if you receive a message from a store or institution, whether by email, WhatsApp or another channel, showing your details, do not trust it immediately. Search the company's official website to verify the information, and simply ignore it if it is not real. If you are suspicious or feel bad about the message, seek official assistance.

Image: Matejmo/iStock