An unprotected server belonging to a Brazilian financial services provider has exposed a massive batch of data from customers of various local banks, security experts have found.
The vulnerability has been detected by security researchers Data Group and the total file size of sensitive personal information available in the public domain is estimated to be 250GB.
The number of individuals affected by the leak, first reported by Brazilian website The Hack, is still unknown. Even though the incident is linked to more than one bank, a sizeable chunk of the documentation exposed relates to local firm Banco Pan.
Exposed personal data includes scanned ID and social security cards, as well as documents provided as proof of address and service request forms filled out by customers based in the capital city of Fortaleza, in the Brazilian state of Ceará.
On a statement, Banco Pan said it doesn't own the vulnerable environment. Rather, it is managed by a commercial partner of the bank, which appears to offer services such as loans for pensioners, given that the documents leaked appear to mostly match that profile.
"After careful analysis of its security systems accompanied by independent consultancy, it has become evident that the server is not owned by Pan and that no intrusion into the bank's infrastructure has been found," the bank stated.
The company added that in its dealings with business partners, registration data from potential customers is captured by third parties prior to the conclusion of contracts such as loan transfers.
"[Pan] will take appropriate measures if any misuse of this [personal] data is identified," it noted, stressing that security is a key priority for the firm and that it complies with data protection best practices as well as local regulations.