Brazilian data protection authority investigates first PIX data leak

Over 395,000 electronic payment keys have been exposed after a systems failure at the state-owned bank, Banese.
Written by Angelica Mari, Contributing Writer

Brazil's national data protection authority (ANPD) is investigating the first leak of instant payment credentials under the custody and responsibility of the Bank of the State of Sergipe (Banese).

The Central Bank reported the incident on September 30 saw 395,009 phone numbers of non-account holders used as "keys" for transactions carried out through Pix, the country's instant payments system.

According to the IT department at Banese, the details are likely to have been obtained through social engineering or phishing techniques.

In a statement, ANPD noted that it received a communication "from a financial institution about a security incident around the leakage of holders' personal data through the Instant Payments System (Pix)" on September 30.

The data protection body added that, on the same day, it was contacted by the Central Bank about a security incident on the same fact. This is the first major leak involving Pix since its launch last November.

According to ANPD, preliminary analysis on both communications has been carried out "to identify the responsibility of the multiple [data] treatment agents" involved in the case.

"Within the scope of its legal mission, [ANPD] will work with those responsible to ensure that the [Pix key] holders are properly informed, to ensure all the technical measures are adopted to avoid new similar incidents and that the appropriate actions are taken to reduce the impact of what happened on [key] holders", the note added.

With major information security incidents becoming more frequent in Brazil, ANPD recently launched a data protection guide as part of efforts to raise awareness on the issue among the general public. The material includes guidance on the steps that should be taken in case of incidents relating to personal data.

The Banese leak follows the Central Bank's decision to cap the value of transactions carried out through Pix between individuals at night at 1,000 reais ($182). The decision aims to reduce kidnappings and will also apply to debit cards used for payments via WhatsApp Pay.

Editorial standards