A total of 644 Pix keys from Caixa Econômica Federal customers had data exposed, the Central Bank (BC) reported this Friday, November 8th, 2024. This was the 16th incident involving Pix data since the launch of the instant payment system in November 2020.
According to o BC, the exhibition took place on September 24th and 25th and covered the following information: user name, CPF, relationship institution, agency, account number and type, account opening date, Pix key creation date, date from which the user has possession of the Pix key.
The exposure occurred due to specific failures in the payment institution’s systems and occurred in registration data, which does not affect money movement. Data protected by bank secrecy, such as balances, passwords, and statements, were not exposed.
Although the case did not need to be reported due to the low potential impact on customers, the administration clarified that it decided to publicize the incident in the name of “commitment to transparency”.
All people whose information was exposed will be notified through the institution’s application or internet banking. The Central Bank highlighted that these will be the only means of warning for the exposure of Pix keys and asked customers to disregard communications such as phone calls, SMS, and notices via messaging apps and email.
Data exposure does not necessarily mean that all information has been leaked. But that it has been visible to third parties for some time and may have been captured. The BC informed that the case will be investigated and that sanctions may be applied. The legislation provides for a fine, suspension, or even exclusion from the Pix system, depending on the severity of the case.
In all 16 incidents with Pix keys recorded so far, registration information was exposed, without exposing passwords and bank balances. As determined by the General Data Protection Law, the monetary authority maintains a page on which citizens can monitor incidents related to the Pix key or other personal data held by the BC.
In a note, Caixa informed that the incident did not affect confidential data or any other information of a banking, tax or asset nature. According to the bank, the situation was quickly corrected, and customers were notified. “The bank reaffirms its commitment to the security and privacy of its customers’ data and highlights that it continually improves the security criteria in its channels, products, and services,” responded Caixa.
Source: Ciso Advisor
