Data on retirees and public servants are sold on the dark web, says company

by

Cybersecurity company ISH Tecnologia says it has found two databases of Brazilians being sold on the internet.

One of them, which is being offered for US$ 600, would be from Siape (Integrated Personnel Administration System), which would package data from a 2020 leak with information from federal civil servants and retirees.

Based on the user’s publication, the company also claims that the other package includes data from the SPC (Credit Protection Service) — the entity, however, denies that its data has been leaked.

“The information on the sale of personal data from the SPC is not true,” the service said in a statement. “Technical analyzes were carried out to investigate the case, and the conclusive report indicates that the personal data disclosed has no origin and no correlation with the SPC Brasil database.”

The data did not undergo analysis by ISH Tecnologia. The company cannot say how many people would be affected by the packages on sale.

The posts would have been made in late June on a cybercrime forum created in the first quarter of 2022.

The data has already left the dark web and is on the deep web — that is, an easier access space. According to the director of innovation at ISH Tecnologia, Leonardo Camata, it is as if the data were emerging to a more navigable and exposed surface, like the sites we find in a Google search.

“When there is a leak of this type, this information ends up on the dark web, more heavy-duty forums”, says Camata. To access the dark web you need specific technologies.

While it is used, in some cases, to circumvent censorship or ensure communication from people persecuted by governments, for example, the dark web also has communities focused on illegal activity, says Luis Corrons, Senior Adjunct Researcher at Avast.

“Over the years, we’ve witnessed how vast amounts of personal information have been sold on the dark web, much of it coming from data breaches,” he says.

On the deep or dark web, many of these forums are difficult to access and operate by invitation. The one identified by ISH Tecnologia can be accessed by anyone, according to Camata.

In the publication, according to the company, criminals provide a contact channel via Telegram and ask for payment via cryptocurrencies, to make traceability difficult.

“These sales occur by reputation”, says Camata. That is, the level of trust the seller has in that community.

The buyer may be someone unfamiliar with technology, but who is interested in the information to apply scams.

“Data leakage is not the end of fraud,” he says. With more information, the frauds get more refined. A link that identifies the victim’s CPF and date of birth, for example, is more credible than an email that asks the user to click on a link.

“Brazil was one of the last countries that adopted a law such as the General Data Protection Law”, he says about the text approved in 2018. The LGPD allows citizens to demand clear information from public and private companies about what data was collected, how they are stored and for what purposes they are used.

Added to this is the vulnerability of the devices. Camata says Brazilians are still not used to applying security procedures, such as asking for two-step verification on their apps and using different passwords for multiple accounts. “Culture takes time to be transformed,” he says.

Faced with the volume of data leaks in recent years, Camata says the best precaution is to assume that any new contact can be malicious, whether by email, message or phone call.

You May Also Like

Recommended for you