News

NGO requests R$200 million fine from Serasa Experian for leak

Fabio Devito February 17, 2021

The Brazilian Institute for the Defense of Personal Data Protection, Compliance and Information Security (SECRECY) filed a lawsuit in Federal Court against Serasa Experian because of the security breach that exposed around 220 million CPFs and 40 million Brazilian CNPJs in January. According to the lawsuit, the NGO Sigilo is asking for a fine of R$220 million from Serasa for the leak.

According to Sigilo, Serasa Experian would be responsible for the fragility of the data of the Brazilian population, which is subject to compensation for collective moral and material damages. The fine requested, however, will not return to the proponent of the action, but will be reversed to the Special Fund for Diffuse Rights (FID), an institution created by the 1989 Constitution that seeks to act as a remedy for damages caused to society.

According to Sigilo, in addition to the fine, the lawsuit also requests compensation in the amount of R$15 for each of the data subjects affected by this leak, in addition to requiring Serasa to identify and notify all individuals and legal entities affected by the leak. The petition also provides for a daily fine of R$10 for failure to comply with the notices.

48h for clarification

Even more important than the fine and notification of those affected, the action also requests that Serasa Experian disclose within 48 hours which information security incidents resulted in the leak of the population's data.

This clarification can be made through the company's official vehicles on social media, in addition, Serasa must commit to adopting technological measures to repair the data leaked from the internet, in order to stop the losses.

Understand the case

During the week of January 20, several digital security companies identified the leak of millions of CPFs and CNPJs on the internet. The source of the data, previously unknown, was reportedly related to sensitive records, such as telephone bills, DETRAN records, credit scores, tax records, among others.

The release of this data occurred asynchronously in two stages, through the deep web. First, files containing only the population's CPFs were released. Then, other databases with CNPJs appeared.

According to those who had contact with the material, the leaked file is around 14 GB and contained approximately 220 million data relating to the 2019 fiscal year. The root of this data would be titled “Serasa Experian”.

Despite the evidence, the credit analysis and referral company denies any connection to the leak. In addition to the Sigilo institute, other entities such as Procon They also demand a position from the company.

How do I know if my data has been leaked?

Unfortunately, still There is no 100% safe way to find out if your data has been leaked. With the leak, there were many websites that appeared offering alternatives to identify the integrity of your data. To date, none of these have certification or approval from the government and entities responsible for this type of check.

When in doubt, do not disclose your data. And this is precisely why Serasa's position is so important. Even if the company is not responsible for the vulnerability that resulted in the population's exposure, it is important to ensure that this does not happen again.

The number of leaked data is greater than the number of active CPFs in Brazil. This means that in addition to a large part of the population, people who have already died were probably also exposed.

Government also blames data exposure

Although symbolic, the action that calls for a fine and clarifications from Serasa Experian for the leak may take a long time or may not even fully repair the damage caused. The truth is that Brazil has a series of elements that weaken citizens' data.

Among so many structural elements, such as the lack of a competent entity to monitor the application of the LGPD, one of the systems that most harms the security of our data is the Positive Registration system.

Proposed by the then Federal Deputy Guilherme Afif Domingos, in 2003, the project of Positive Registration Law determined the creation of a database for analyzing the population's credit.

After several comings and goings, the project was approved in 2011 with a very serious flaw in terms of data security, determining that all economically active citizens would be automatically included in the bank.

Unlike what was done until then, in which only those citizens with negative credit ratings (debtors) had their data included, the Brazilian credit system began to store a much larger number of pieces of information.

To make matters worse, the law made it optional for citizens to leave this bank through a request system that few Brazilians are aware of. In this case, the correct thing to do would be the opposite: a positive credit analysis database in which the citizen requests inclusion.

What is the positive registration for?

Serasa Experian, SPC and other similar entities basically operate in the same way, providing credit analysis for companies and financial institutions. By accessing your data, these entities identify whether you are a good or bad payer, guaranteeing advantages such as more credit in the market, lower interest rates for financing, etc.

To find out more, or even request the deletion of your data from the positive registry, the easiest method is through the Serasa Experian Customer Service Center, by calling 0800-7766606. The withdrawal must take place within two business days.

Image: Markus Spiske/Unsplash