Vida Celular

All about the best cell phones

2021 started with a major scandal involving the leak of Brazilian data. The dfndr lab (in lowercase) of the security consultancy PS Safe, identified a gigantic database circulating on the dark web, with data from 220 million Brazilians, possibly originating from Serasa Experian systems. The Procon of São Paulo, then, opened its eyes to the problem.

The complexity of the information available would allow for a detailed analysis of practically every living Brazilian and many dead, since the country currently has an estimated population of only 209 million. CPFs, CNPJs, residential and commercial addresses, estimated income, assets, telephone numbers and other sensitive data can be used to social engineering scams, those in which criminals personalize an attack with information from the victim themselves, leading them to believe that they are dealing with a legitimate email, SMS or message since the sender correctly provided information about them.

An NGO that works to protect personal data even asked for a million-dollar fine for Serasa after the leak, and Procon-SP requested the opening of a police investigation, in addition to demanding explanations from the company. The response finally arrived, but it does not seem to shed much light on the case.

More questions than answers

Although Serasa Experian is the main suspect for the leak of information, Procon-SP reports that the company is conducting an internal investigation, and that its indications — so far — are that the leaked data did not originate from it.

Despite the response, Procon-SP is not satisfied. Serasa talks about respecting the General Law on the Protection of Personal Data (LGPD), but the agency demands more information about how transparency of the data obtained is promoted and how — and with whom — it is shared.

Regarding possible measures aimed at protecting consumers, for Procon-SP, institutional communication on the company's website is merely preventive, and not restorative. The company would not be explaining how it would act if consumer information in its possession were actually leaked, how it would protect them or compensate them.

According to Fernando Capez, executive director of Procon in São Paulo, Serasa Experian responded to the agency's notification in a generic manner, and it is not ruled out that the company was the source of the leak. The agency will now meet with its supervisory board to determine whether or not to impose a fine. However, without proof of Serasa's alleged involvement, this will be difficult.

In any case, the damage — whether or not it involves Serasa — is done, since the leak proved to provide legitimate information about Brazilian citizens.

Image: dem10/Getty Images