We didn’t even have time to breathe and absorb all the misfortunes that occurred in 2020 – the whole of Brazil went into a frenzy on January 19 this year, after several media outlets began to report. what would be the biggest data leak in the country’s history. A criminal would be commercializing, through a surface web forum, personal data of more than 223 million citizens – including those who have passed away – and even released some free samples from the database.
The National Data Protection Agency (ANPD) requested investigations regarding the incident, mainly directed to Serasa, since some elements of the offered database mentioned the credit bureau – even though the company, from the beginning, vehemently denied having any relation to the exposure. Federal Police actions culminated in the arrest of two suspects: the miner Marcos Roberto Correia da Silva (“Vandathegod”) and the Pernambuco Yuri Batista Novaes (“JustBR”).
Since then, the “megavazamento” – as it became known – became news for national and international newspapers, in addition to eternal discussions on data privacy, General Data Protection Law (LGPD), ANPD efficiency and guidance to the final public on how to protect yourself against possible fraud of misrepresentation. However, what many are not paying attention to is that, in the end, it is possible that such a “mega leak” never existed.
First things first. As The Hack explained in its newsletter released on February 22, PSafe – a Brazilian company that identified the sale of the data and alerted the media – started to suffer a series of criticisms from the market for having made a disclosure not appropriate if we take into account industry standards. The company did not investigate the leak in depth, limiting itself to preparing a press release that caused more dread and doubts than solutions themselves.
At the time, a C-level information security executive (who preferred to remain anonymous) exclusively said: protection and data privacy. It is unfortunate that companies take such paths to promote their brand in the market ”. The article can be read in its entirety at this link.
What happens is the following: it is unethical to conclude, without due investigation, that a database offered by an anonymous criminal is in fact an unprecedented leak. Since these virtual miscreants profit from the sale of these databases, it is perfectly natural that they compile several different exhibitions to create a larger collection and offer it in the “market” to attract the public’s attention. In the process, it would be enough to insert one or two PDFs from a private company to blame it for the incident.
In a survey conducted by a proprietary group that brings together dozens of CISOs (Chief Information Security Officers), The Hack found that, for 57% of professionals in the field, most of the “mega leak” must be made up of old material enriched with little unpublished data. Already 40% believe that the database has nothing new, being a compilation of known leaks; only 3% of respondents believe that, in fact, the exposure is new.
It’s a leak … But is it new?
In an interview with The Hack, Alexandre Sieira, CEO of Tenchi Security, stated that the simple fact that there are references to Serasa in the database is not enough proof that the company was invaded. “Someone may have legitimately purchased this information from Serasa years ago, you may have a Serasa partner who has access to this information or even a company customer with access to the data,” explained the executive, in a quick conversation by phone.
“There are a lot of possible scenarios, and none of the evidence presented in PSafe’s news articles or publications lets you know if any of these happened. Again, it can be a combination, a junction of three or four leaks, each of a different type ”, says Sieira. “We saw headlines saying ‘new leak’. We have no evidence to know whether there was a leak and whether it is new. It can only be re-data from previous bases “, he concludes.
Sieira also comments that the companies that were associated with the “leak” without any technical basis were approached by several authorities, creating a whole situation that generated embarrassment and impacts without knowing if they are really involved in the situation. In addition, the expert expresses concern about the fact that the black market for personal data has existed for years – including on the surface web, as the forum itself in which the database was made available and in Facebook groups.
“Is there a consistent investigation into this to crack down on criminals? Do police authorities have the tools to go after these people? Shouldn’t we focus on a particular set of data that is being sold, but rather if there is coordinated action by the authorities to discourage these public announcements? As soon as someone illegally sells personal data and has a greater than zero chance of being arrested, we will have fewer people selling it ”, he concludes.
Coincidentally, last Wednesday (24), the 22nd Federal Civil Court of São Paulo denied an injunction that forced Serasa to notify its customers about the mega leak, precisely because of the lack of evidence that the company is involved in the incident. “Only after the necessary proofs will it be possible to determine the fulfillment of the legal duty of communicating to the holders about the data leakage incident”, pointed out the judge José Henrique Prescendo, responsible for the trial.
The big question now is: if the mega leak is really a collection of reheated data, who would be interested in disseminating that content? We can work with only two hypotheses: the criminal (who will profit from selling the database anyway, although there is no evidence that he was successful in his sales) and security companies that offer B2B solutions to prevent data leaks . With public despair, it is natural for the demand for this type of service to grow.
Regardless, it is worth remembering that, if it is proven that the leak is not new, that the data was obtained legitimately and that Serasa has no relationship with the incident, those responsible for the dissemination of this “idea” may possibly be framed in art. 340 of the Penal Code: “Provoke the action of authority, informing him of the occurrence of a crime or misdemeanor that he knows has not occurred”. It is the famous “false reporting of crime” and the offender can be detained for six months.
The Hack will continue to investigate the case.
See the original post at: https://thehack.com.br/seria-o-maior-vazamento-de-dados-do-brasil-uma-fraude-especialistas-comentam/?rand=48873