A Brazilian consumer rights watchdog has urged the federal government to take immediate and urgent action to protect citizens who had their personal details exposed online.
The notices sent by the Brazilian Institute for Consumer Protection (IDEC) to several government agencies relate to a massive data leak, which saw details of 223 million Brazilians, ranging from name, address to current income, personal vehicle information and tax returns exposed and sold in the dark web.
In addition, the leak also included information from Mosaic, a consumer segmentation model used by Serasa, the Brazilian subsidiary of credit research multinational Experian company exposed online and offered for sale online. The incident was discovered by cybersecurity firm Psafe in January, and is considered to be Brazil's most significant data leak on record.
According to IDEC, the scale and scope of the situation calls for regular inspection measures be adopted for large scale databases, such as credit bureaus, which could have been the source of the leak. The consumer rights organization also noted that data leaks in Brazil became an "unacceptable routine" and that one way to reduce the likelihood of such occurrences is to prevent that consumer databases are formed without any limitations and that consumers are given the choice of opting out of them.
"What we have today is a single certainty, that the citizen is completely adrift. Fear is a constant, with fraud attempts increasing every day due to the amount of data that was leaked", points out IDEC's lawyer, Michel Roberto de Souza. "Institutions must investigate and punish, but they must also inform and guide citizens about what is happening. We need a lot of transparency as well as timely and adequate solutions."
Yesterday (8) Experian released a statement saying that it is carrying out a a "detailed forensic investigation" into the possibility that "some of the [leaked information] may have been sourced from its non-sensitive marketing data".
On the other hand, the company argued that the data offered for sale online "includes photographs, social security numbers, vehicle registrations and social media login details, which Serasa does not collect or hold." In addition, Experian stated that "there is no evidence" that credit data has been illegally obtained from Serasa, or that the company's technology systems had been compromised.
According to IDEC, the data exposure is a serious violation of the General Data Protection Regulations, as well as the Brazilian Consumer Protection Code, due to the non-compliance with security measures, as well as a serious violation of security and information duties in the provision of services.
In the documents sent to the authorities, the Institute is requesting more effective measures and a "robust cooperation" from the recently created National Data Protection Authority and the National Consumer Secretariat with the Federal Police, the Public Prosecutor's Office and the National Congress.
In addition, IDEC points out the need for involvement of the Central Bank, which regulates Serasa, due to the considerable doubt over the possibility that "at least part of the data leak" has originated from the company.
According to the consumer rights institute, the scope and risks posed by this incident require "coordinated action by all competent authorities to ensure efficiency and speed in investigations and in the adoption of measures necessary for consumer safety".
In addition, IDEC argued that a contingency plan to minimize the damage caused by the leak, is among the actions needed, alongside extensive communication of the incident, with a website made available to outline the data leaked by each consumer, as well as wide dissemination of the necessary precautions to avoid scams with use of leaked data and mechanisms for monitoring usage of taxpayer registry identification numbers free of charge.