Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Protection

Personal Details of 120 Million Brazilians Exposed

Misconfigured databases with poor or absent access controls on both cloud and in-house servers is a known and common problem. Where these databases are exposed to the internet, anybody — with or without cyber expertise — can access the database and its content. While there is no ‘hack’ involved, such instances should still be called a breach since there is often no way of knowing whether the data contained has been accessed by malicious actors.

Misconfigured databases with poor or absent access controls on both cloud and in-house servers is a known and common problem. Where these databases are exposed to the internet, anybody — with or without cyber expertise — can access the database and its content. While there is no ‘hack’ involved, such instances should still be called a breach since there is often no way of knowing whether the data contained has been accessed by malicious actors.

The potential severity of such breaches can only be measured by the quantity and quality (in terms of malicious potency) of the data contained. 

In March 2018, researchers at InfoArmor discovered (PDF) an exposed database that contained extensive personal data for 120 million Brazilians. This comprised a unique identity number (the Cadastro de Pessoas FÌsicas, or CPF) that is issued by the Brazilian Federal Reserve to Brazilian citizens and tax-paying resident aliens.

To put this in perspective, the total population of Brazil last year stood at 210 million, with an electorate of just over 147 million.

Brazilian FlagThe CPF was not the only data available. Each entry had links to other personal data, comprising individuals’ “banks, loans, repayments, credit and debit history, voting history, full name, emails, residential addresses, phone numbers, date of birth, family contacts, employment, voting registration numbers, contract numbers, and contract amounts.”

The exposure was via an unprotected back-up index file named ‘index.html_bkp‘. InfoArmor regularly scans the internet for problem servers using its own AI-enhanced process. “With the mad rush to share tenant cloud services, we are seeing a tremendous amount of leaked data that is potentially 10 times greater than actual threat actor activity,” commented Christian Lees, chief intelligence officer at InfoArmor. 

Lees told SecurityWeek that the inclusion of ‘bkp’ in the file name likely produced a major red flag to his company’s scanning process. Had the index not been renamed, or if access had been controlled through proper htaccess configuration, there would have been no problem.

While InfoArmor observed the server over the next few days, the researchers noted that an 82 Gb file was replaced by a raw SQL file. This suggested that the data was live and being worked on. However, the new file host had a different IP address than the previous one — which added confusion over who really ‘owned’ the data.

From April onward, the researchers attempted to locate the owner to report the flaw. They wrote to an email address registered to one of the hosts of the SQL, but it bounced. “For weeks, InfoArmor attempted to notify the owners. The team watched the open directory, and saw the files grow larger and smaller, as if users were just working with them in the open.”

After several more weeks the flaw was fixed. The earlier misconfiguration was reconfigured as a functional website with an authenticated alibabaconsultas(.)com domain and authenticated login. Although this doesn’t confirm that alibabaconsultas(.)com was responsible for the leak, it does look as if they were at least involved if only in a hosting-as-a-service function.

InfoArmor warns “it is very likely sophisticated adversaries harvested this information. It took over a year for data stolen from Yahoo to appear for sale on the dark web, and data as unique as what was available in Brazil’s CPF server is likely to be traded among the most closed off and exotic data troves of the dark web.”

But there are two other issues that are worth considering. 2018 has been the year in which GDPR came into force, and the year in which the extent of worldwide attempted election manipulation has come to the fore. 2018 was also an election year in Brazil. A last-minute surge in the polls by a far-right former army captain almost won an outright majority for Jair Bolsonaro. Bolsonaro won the run-off vote on October 28, 2018. There is no suggestion that this election was manipulated, but it is noticeable that the exposed data includes ‘voting registration numbers’.

GDPR may also be relevant to this breach. One of the GDPR unknowns is the extent to which EU regulators will press the jurisdictional aspects of the law. It applies to EU citizens and residents. Just as an example, there are many Brazilian footballers, who retain Brazilian nationality resident and work in Europe. Technically speaking, this breach could well be considered subject to GDPR if the personal details of any of these footballers was compromised.

Related: Thousands of Organizations Expose Sensitive Data via Google Groups 

Related: Thousands More Personal Records Exposed via Misconfigurations 

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.

Register

Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.