Over half of Brazil's population exposed in security incident

Records of 120 million taxpayers have been openly available online for weeks, according to experts.
Written by Angelica Mari, Contributing Writer

A publicly accessible server containing unique taxpayer registry identification numbers for Brazilian nationals has been discovered, placing as many as 120 million citizens at risk.

The ID numbers, known as Cadastro de Pessoas Físicas (CPFs) are issued by the Brazilian Federal Reserve to Brazilian citizens and tax-paying resident aliens, and are linked to aspects ranging from credit and debit history to employment details.

According to security firm InfoArmor, who discovered the incident, the information related to about 57 percent of Brazil's population was leaked by a misconfigured server earlier this year.

After examinating the server, the researchers found that the "index.html" had been renamed to "index.html_bkp," revealing the directory's contents and giving unfettered access to anyone who knew the filename.

"Two simple security measures could have prevented this: not renaming the main index.html file or prohibiting access through .htaccess configuration. Neither of these basic cybersecurity measures were in place," the report states.

The company tried to find out who owned the server and after a few unsuccessful attempts, it received a reply from the database hosts that they they had notified their customers about the legal issues of leaving such data exposed.

However, the data continued to be available online and the question of who actually owns the server remains unresolved. While InfoArmor tried to report the discovery to owner of the database, the 82 GB file was replaced with a raw 25 GB .sql file.

"The team watched the open directory, and saw the files grow larger and smaller, as if users were just working with them in the open," the report says. In April 2018, the server was finally fixed to secure the data.

According to the experts, this oversight could be a vehicle for serious misrepresentation for the country as a whole as well as individuals.

"For example, an advanced cyber ring or malicious nation state with the ability to make it appear as if Brazil were attacking, say, the US, when the attack was in fact driven by another country," the report points out.

"With voting and debt records, bank accounts, and the like exposed to the world's savviest cyber communities, the identities of these individuals are at greater risk to be sold and traded in the underground economy," it adds.

When such large breaches occur, large organization are often blamed, but the report calls for acknowledgement that "in most cases, we are our own worst enemy."

"Whether we mean to or not, disregarding basic cybersecurity practices makes the work of hackers substantially easier and, in the end, we are all affected."

Editorial standards