O Central Bank of Brazil (BC) announced, this Friday (17), the leak of personal data linked to more than 137 thousand keys pix. According to the institution, among some information exposed are: user name, CPF, agency, account number and type, all belonging to the supply therea motoring club.
Also according to the Central Bank, no sensitive data – such as passwords, balance and account movements or other information kept under bank secrecy – was exposed.
All the leaked information, according to the BC, is of a “registration nature”, which “does not allow the movement of resources, nor access to accounts or other financial information”.
According to BC, the incident took place between the 1st and 14th of September. In all, registration data linked to 137,285 Pix keys were leaked.
Among them are: user name, CPF, relationship institution, agency, account number and type and the key creation date.
The agency states that all owners of the exposed data will be communicated exclusively through the institution’s app or internet banking system and warned of the risk of scams.
Neither the BC nor the participating institutions will use any other means of communication to affected users, such as messaging apps, phone calls, SMS or email.
Also in the statement, the agency said it would take the “necessary actions” to investigate the latest leak in detail and said it would apply the measures provided for by law.
O technoblog contacted the Ultra Group, responsible for Abastece Aí. In a statement, they stressed that:
Abastece-aí, which operates the application of the same name, communicates that due to the security incident, of which it was a victim, it has already blocked suspicious activities.
As informed by the Central Bank, no passwords, transaction information, financial balances or any other information under bank secrecy were exposed. Potential information improperly accessed from PIX is registration data, not allowing the movement of resources, nor access to accounts or other financial information.
The company reinforces that all measures applicable to this investigation are already being taken.
Last major leak was reported in January
The last major data leak linked to Pix keys happened in December 2021, but it was only announced by the Central Bank in january of this year.
At the time, the BC reported that more than 160,147 pieces of information had been exposed. Again, the data in question were considered “sensitive”, only of a “cadastral nature”.
Procon-SP tried to intervene and even sent a letter to the Central Bank. The agency asked for clarification on what had happened, such as the number of affected customers in the state of São Paulo and how they would be communicated.
Another very similar case happened in august last year. About 400 thousand registration data of Banese (Banco do Estado do Sergipe SA) were exposed, which suffered a security breach.
The institution reported that the reason for the leak was being investigated, but it was suspected that the data had been obtained through phishing through two accounts of the institution.
With information: Brazilian central bank