This week the news came from one Leakage exposed the CPF of more than 220 million Brazilians. THE Tecnoblog found that the case is more serious: this set of personal data, provided free of charge on an internet forum, is linked to a larger facility that includes facial photos, addresses, phone numbers, emails , credit score, salary, income and more. The file appears to be affiliated with Serasa Experian, but the company denies being the source.
Two data leaks
Here we have two separate but related cases. THE first leak includes only the full name, CPF, date of birth and gender: it is available for free download in a forum known for disseminating this kind of information.
The 14 GB file has data from 223.74 million different CPFs, and it appears to have been compiled in August 2019. This file is available on the open internet, not on the dark web: the link was even made up. item by Google search. The number of people affected is larger than Brazil’s population because the database also includes deceased people.
Exchange, second leak provides information from the same 223.74 million people and will also be aggregated in August 2019. It is released by the same user on the forum and includes the CPFs in the same order, as shown in picture below:
In this case, there’s only the free preview: those who want the complete package have to pay. Prices range from $ 0.075 to $ 1 per CPF, depending on the quantity purchased. Payments are made in bitcoin only.
In total, there are 37 establishments covering all types of personal data, including ID, marital status, relative list, complete address (with latitude and longitude), education level, Salary, income, purchasing power, status in the IRS and INSS, among many others.
Leaks come from Serasa Experian?
The biggest leak is titled “Serasa Experian”.and there are some indications that this data may be relevant to the company:
- One of the databases carries data from MosaicSerasa Expense Services classifies consumers into 11 groups and 40 segments, for targeted advertising and leads;
- Two other databases have information about relationship patterns and trends, something also offered by Serasa, the chance that a person must purchase a certain product or service such as insurance, private pensions, credit cards, games, travel, luxury items, among other things;
- There is still a list credit score, a product that Serasa is best known for.
In a statement for Tecnoblog“We are aware of third-party claims about the data provided on the dark web,” said Serasa Experian; we have conducted an investigation and we currently do not see anything showing that Serasa is the source “.
A new Serasa locator states the following:
Based on our analysis to date, we conclude that Serasa is not the source of this data. We have performed an in-depth investigation that found that there is no correspondence between the fields of the directories available on the web with the fields in our system where the Serasa Score is loaded, as well as with Mosaic. In addition, the data we analyze includes elements we don’t even have in our systems, and the data that is attributed to Serasa doesn’t match the data in our files.
LGPD (General Personal Data Protection Act), effective September 2020, introduces sanctions ranging from a warning to a 2% penalty on annual sales up to R $ 50 million. .
However, penalties should only be applied from August 2021. This will be the responsibility of ANPD (National Data Protection Authority), which is still defining its main technical positions.
What was exposed in the 220 million spill
THE Tecnoblog enlist the help of DataBreaches.net For details on this dataset, available on the internet since last week.
We’ve gathered below key information included in the biggest leak:
- basic: Name, CPF, gender, date of birth, father’s name, mother’s name
- marital status (married, single, divorced, widowed, others)
- family cohesion: Categorize people by first level (mother, father, son, daughter, brother, sister, sister, spouse) or second level (grandpa, grandchild, uncle, nephew, cousin, etc.)
- Phone: Area code, number, carrier, package, line type (fixed, prepaid, postpaid), installation date
- Address: street address, number, neighborhood, city, state, area code, type (residential / commercial), latitude and longitude
- family: CPF of household head, number of people, income frame, complete address
- go to school: qualification (illiterate / elementary / technical / higher, etc.)
- College student: 1,643,105 people named university, course, year of admission and year of completion
- job: position, CBO number (Brazilian occupation classification)
- job: CNPJ and employer’s company name, PIS / PASEP / NIT number, CTPS number, type of job (CLT, self-employed, host, apprentice, etc.), date of admission, salary, hours worked work per week
- salary: value, type (monthly, biweekly, weekly, etc.), hourly per week
- earnings = earnings: monthly amount (including salary, rent, interest, etc.), social class (low, medium, high), income range
- social class (A1, A2, B1, B2, C1, C2, D, E)
- purchasing ability: qualifications (low, medium, high), income, salary
- Family allowance: amount, grant status (released / blocked), grant status (active / inactive), number and name of dependents, NIS (Social Identification Number)
- voter title: Registration number, region, section, address, county, state
- FGTS: PIS number
- CNS (National Health Card)
- NIS (Social identification number)
- PIS / PASEP
- INSS: Insured person’s name, benefit number, start date, type (retirement, pension, maternity pay, etc.)
- IRPF (income tax): Bank organization name, branch code, cashback lot
- IRS: Cadastral situation (frequent / suspended / canceled / deceased owners)
- credit score: credit performance, risk score, level of risk (low / medium / high)
- Debtor: name, type of debt (primary, co-liability), circumstances (active, collecting, paid), type of debt (penalty, income tax, PIS, etc.), amount, is it taken to court are not? (Yes no)
- bad check: Bank and branch code, reason (no money / account is closed)
- Mosaic: targeting groups and subgroups
- the same: accuracy level, percentile
- Analytical model: to create opportunities for hobbyists to buy products or services
- Pictures of faces: 1,176,157 JPEG images dating from 2012 to 2020; filename is the CPF of the respective person
- LinkedIn: 5,051,553 social network profiles with ID number and access URL
- business: company partner name, participation (shares and%), company name and trade name of the company, CNPJ, date of joining company
- officer: job description, competencies, assignments, gross income, status, bonds, eliminated (yes / no)
- advice: 2,260,960 people providing consulting services in the public or private sector, including situation, expertise and career code
- The deaths: date of death, age, date of issuance of death certificate, name and address of registration agency
Updated on January 25 with new locator Serasa