Brazilian security firm leaks more than 25 GB of client and staff data

A configuration failure on a server belonging to Orsegups Participações, a large Brazil-based holding company that controls seven businesses active in the property security sector, exposed a series of tax documents revealing clients' contract values and staff information.

The leak, investigated by ZDNet in partnership with Brazilian cybersecurity news website The Hack, has compromised more than 25 GB of files, including invoices, and tax collection documents referring to services provided by the group's companies.

Orsegups describes itself as a leading company in the security sector, with over 40 years of experience in providing home security services to private companies, public sector bodies and individuals. The company's various operations provide services ranging from surveillance, CCTV and alarm monitoring, access control and remote concierge, as well as vehicle tracking and security teams.

See also

History repeating: How the Internet of Things is failing to learn the security lessons of the past

The massive cyberattacks which took down some of the most popular websites on the internet show that device manufacturers are not learning from the mistakes of the past.

Read now

The files exposed by the leaky S3 bucket had a wide variety of tax documents intended for internal use, which reveal the value of contracts for services provided to public and private entities. This included hundreds of thousands of payment slips and tax documents including receipts and social security documents of Orsegups' own employees.

A series of invoices raised to thousands of individuals who have hired the company's services for residential and vehicle protection have been exposed in the leak, including the clients' full names, social security numbers, addresses and telephone numbers.

When it comes to corporate clients, the leak stands out for revealing details around spending in security services at public bodies as well as private companies. Orsegups was notified on January 31 and took the vulnerable server down several weeks after.

In a statement, the company noted that the S3 bucket "only stored legacy files from a portal that had already been disabled in 2017, in an AWS account that is no longer used." The company added that it has a security team to monitor its active platforms and implemented good practices and governance for its data security.