Security incident at Ministry of Economy server exposed brazilian citizens data

Security incident at Ministry of Economy server exposed brazilian citizens data

By Fabio Vieira and Eduarda Baldavira

 

Last week, through an intelligence report by the company Group-IB, which performs continuous checks on the Internet for anomalies, a security gap in the server of the Ministry of Economy that occurred in January 2021 was disclosed.

According to the report, the data of about 20,000 Brazilians were exposed for two months and included name, CPF and even selfies of people holding their identity card and driver’s license, sent to perform the registration procedure that requires the user to prove their identity.

Group-IB, reported that immediately after the incident was discovered it notified the Brazilian authorities about the incident, and within ten hours, the server was already offline.

The security incident involving the Ministry of Economy was not the first involving public agencies; in 2020 there was a data leak on the Ministry of Health’s servers that ended up exposing data from more than 200 million Brazilians, and in 2021, a breach on the Labor Department’s Website also leaked personal data from thousands of citizens.

This series of data leaks demonstrates that public agencies are lagging behind in adapting to the Brazilian General Data Protection Law (“LGPD”).

According to an audit conducted by the Court of Audit of the Federal Government (“TCU”), even with the extended deadline for organizations to adapt (from 2018 to 2020) 3% of 382 public agencies are at the enhanced degree of adaptation to the LGPD; 58.9%, is at the initial degree. While 17.8% are at the unimpressive level and 20.4% are at the intermediate level.

The TCU also recommended that the Digital Government Secretariat of the Ministry of Economy, the National Council of Justice, and the National Council of the Public Prosecutor’s Office issue normative acts and guides with the National Data Protection Authority (“ANPD”) to assist the process of adapting organizations to the LGPD.

This article is intended exclusively to provide information and does not contain any opinion, recommendation or legal advice from KV Advogados in relation to the matters herein addressed. Copyrights are reserved to Kestener & Vieira Advogados.

No Comments

Post A Comment