After receiving feedback from Experian over a massive data leak in Brazil, São Paulo state consumer rights foundation Procon described the company's explanations as "insufficient" and said it is likely that the incident was initiated in a corporate environment.
Procon notified the credit information multinational following the emergence of a leak that exposed the personal data of more than 220 million citizens as well as companies, currently offered for sale in the dark web. Security firm PSafe discovered the incident, which exposed all manner of personal details, including information from Mosaic, a consumer segmentation model used by Serasa, Experian's Brazilian subsidiary.
Following the emergence of the leak in January, Procon notified the credit bureau, and asked the company for a confirmation of the incident, and an explanation of the reasons that caused the leak, the steps taken to contain it, how it will repair the damage to consumers impacted and the measures taken to prevent it from happening again.
"No hypothesis has been ruled out, and at the moment we consider it is more likely that the leak came from inside companies rather than hackers," said Procon's executive director Fernando Capez, adding that Experian's feedback prompts more questions than answers. The explanations from the company will be analyzed by the board of the consumer rights body, and a fine may be applicable if any wrongdoing becomes evident.
According to Procon, Experian informed that all its activities that involve personal data comply with the Brazilian data protection regulations, and that processing of such data can legally serve several purposes. That part of the answer was insufficient, the consumer rights body said, since "there is no legal basis for the treatment and use of data in an indiscriminate manner" and that includes data of deceased individuals, also exposed in the leak.
In addition, Procon noted that Serasa Experian did not specify the technical and organizational measures adopted to implement its data protection policy. Moreover, the company reinforced what it had said in a statement released last week in its response to the notification, that there is no evidence that credit data has been illegally obtained from its Brazilian subsidiary. The company also argued that there is no evidence that its technology systems had been compromised.
In relation to Serasa Experian's risk mitigation policy that may occur in such circumstances, Procon said the company only stated that a "comprehensive information security program" is currently in place. Regarding damage repair to consumers, Serasa Experian stated that its website has instructions on what to do in case of fraud. Procon's stance is that this is a preventive measure rather than a reparative action.
Contacted by ZDNet, Serasa Experian did not answer to requests for comment on Procon's response to its feedback. The agency's demands for answers follow calls from the Brazilian Institute for Consumer Protection (IDEC) for urgent measures to investigate and punish those responsible for exposing the population's data, as well as improved citizen information and transparency.