Security Breach of Over 120 million Taxpayers in Brazil

Recently, the Tax ID, better known as Cadastro de Pessoas Fisicas (CPF ID) consisting of over 120 million taxpayers in Brazil suffered a security breach. The data available online included the personal details of citizens in Brazil.

That sums up to over half of Brazil’s total population. Apparently, this data was exposed by a server which reportedly overlooked basic security controls. However, there is no clarity on the exact period during which this data remained publicly accessible.

The Discovery

The security breach was discovered by InfoArmor, an IT Security firm. InfoArmor reportedly stated that, the size of the file available online had changed during their observation, while remaining publicly accessible. According to the firm’s observation, an 82 GB file was apparently replaced with a 25 GB .SQL file.

Therefore, there lays a possibility that the Administrator was unaware of this vulnerability and continued to work and upload the data on the vulnerable site.

The Concerns

Presently, the top-concern is the privacy of the personal data that was leaked. It is evident that the person who leaked this data had access to the Nation’s official identifications’ database.

With this leak, it is quite evident that these details were available to third parties, who made them publicly accessible as the ‘index.html’ file was reportedly renamed to ‘index.html_bkp’.

InfoArmor’s Report stated the following

“Two simple security measures could have prevented this: not renaming the main index.html file or prohibiting access through .htaccess configuration. Neither of these basic cybersecurity measures were in place”

The Brazilian CPF ID is an essential document required to pay taxes, have a loan sanctioned, to operate a business or even to open a bank account in Brazil.  In short, the CPF ID an ID to carry out financial transactions and dealings.

Since the server remains untraceable, it is evident that public access was granted by those with technical expertise. Therefore, it is presumed that the concerned person knew what they were doing.

Related posts

Water Facilities Must Secure Exposed HMIs – Warns CISA

Microsoft December Patch Tuesday Arrived With 70+ Bug Fixes

NachoVPN Attack Risks Corporate VPN Clients