PF is still investigating hacker attacks and ‘mega-leakage’ of data a year later

The balance of cyberattack investigations is disappointing. The main hacker attacks on government agencies during the pandemic and the investigation into the case of the “megaleak” —the sale of personal data of 223 million Brazilians on the internet—, which took place about a year ago, are still unanswered.

Among the most recent cyber offensives, the PF (Federal Police) is investigating the kidnapping of data from the STJ (Superior Court of Justice) and the leak from the TSE (Superior Electoral Court), both in November 2020, the so-called megaleak, denounced in January of 2021 by the security company Psafe, and the intrusions into systems of the Ministry of Healthand and other bodies in December.

So far, at least four people have been arrested (two of whom have been released) related to cases of TSE and the sale of data packages on the internet, but no effective action on the security of citizens’ personal information, especially in the public sector.

The ANPD (National Data Protection Authority), responsible for overseeing compliance by companies and public bodies with the personal data protection law, says it awaits responses from the Ministry of Health and reports from the PF in most cases.

Structured at the end of 2020, the authority was originally designated to be an independent autarchy, but was linked to the Casa Civil. The directors were appointed by President Jair Bolsonaro (PL).

The law determines that the information of the holders is protected from a technical point of view, with digital security in systems and internet pages, and from a contractual point of view: data cannot be shared with other companies or bodies without transparency or the consent of the citizen, for example.

“In the case of the Ministry of Health, we are working to provide a feedback to society, we are waiting for answers about who is in charge [dos dados], as is the question of encryption, among others. In my opinion, governance procedures have to be revised, as well as password policies. The leak sometimes comes from inside the company”, says Waldemar Gonçalves Ortunho, ANPD’s CEO.

The sale of personal information intensified after the mega-leakage, which took place a year ago, and the sale of access to a database is a recurrent practice, as shown in a recent report by leaf.

In January 2021, the company PSafe disclosed that data such as CPFs, addresses and other information on 223 million Brazilians, therefore including dead people, were being traded on internet forums. Although the sale of information is common, what amazed experts at the time was the amount of information in the archives.

Although several companies emerged as suspects, the strongest hypothesis is that the data was aggregated over several years and from different sources, not just one.

Even the name “megaleak” is disputed in the digital security community, since it assumes that it came from only one source. The hypothesis that it is only one source, however, has not yet been ruled out.

“The investigations are advanced, they arrived at a name in Uberlândia (MG), they had seizure of 4 terabytes of data, which are being investigated, but nothing has been concluded so far”, says Ortunho.

He refers to the arrest of a hacker known as VandaTheGod, with a recognized history of hacking in the cybercrime world.

He and another suspect, who was later released, had preventive detention ordered by Supreme Minister Alexandre de Moraes for previous actions.

VandaTheGod even wrote on a social network, before being arrested, that the origin of the megaleak was not Serasa (one of the companies questioned at the time and which did not verify any incidents in their systems), but another private company linked to the government.

The STJ case, in November 2020, is also unresolved. The court’s systems were targeted by ransomware, data hijacking by encryption, and released upon payment of ransom.

This was one of the fastest growing cybercrimes in 2021, according to reports from security companies. Companies such as JBS, in the United States, which paid US$ 11 million (R$ 62 million) to criminals, and Renner and Embraer, in Brazil, entered the sights.

At the time of the Judiciary, ministers and servers were unable to access their emails and files. The systems were recovered just ten days later. At the time, suspicion revolved around a foreign CNPJ.

In the same month as the STJ, the TSE was leaked. The data, however, was old. The police carried out search and seizure warrants in São Paulo and Minas Gerais, in addition to an arrest warrant. A hacker was arrested in Portugal and operates under the code name Zambrius.

The suspects in Brazil were released by the police and would not have been directly involved in the leak, being only mentioned in a sample.

Even though the investigations culminate in prisons, the public sector has demonstrated vulnerability in its systems, weak or non-existent governance for data processing and little return to society, according to lawyer Danilo Doneda, member of the ANPD’s national data protection council.

“These are announced tragedies. By quickly blaming hackers, we wash our hands of the public sector’s own responsibility. The systems are hacked, but they shouldn’t be,” he says.

For Ortunho, Brazil needs a “new body for handling incidents, which must be well thought out, with a lot of technology and trained personnel, so that it can be detected soon”. In addition to the PF in the criminal area, the GSI (Institutional Security Office) investigates cybercrimes.

During the pandemic, there was also hacking in the TRF3 (Federal Regional Court of the 3rd Region), in the TJ-RS (Rio Grande do Sul Regional Court), in the Army, in the Senate, other leaks in the Ministry of Health, in addition to less offensive to a number of government websites.