Criminals sell passwords that allow you to change SUS registration

Logins and passwords for the CadSUS (National Register of SUS Users) and E-SUS systems, from the Ministry of Health, are for sale on the internet. The access offered by criminals allows buyers to make changes to the record of people registered in the system. It is possible to change the father’s name or blood type, modify documents and even declare the person’s death.

The ads were found by the report on social networks like Facebook and on video platforms like YouTube.

The actions of these criminals precede the hacker attack that the Ministry of Health website suffered in the early hours of Friday (10), but the illegal trade practiced by them highlights the fragility of the federal system.

Without identifying himself, the leaf contacted one of the sellers and received an offer of access that would allow them to change registration forms and consult personal data on CadSUS for R$250 per month. The E-SUS is sold for consultation only.

Trading is done via Facebook messages. The ads are located on the so-called surface web, which, unlike the deep web, is the internet space that is available to all users and has content that can be found easily on search engines like Google.

The scheme allows the involvement of third parties, increasing the capillarity of the scheme. One of the products sold is the access as administrator, in which the person can create new logins and start selling them as well.

Criminals claim that, with access to CadSUS in hand, it is possible to change race, blood type, father’s name, nationality, city of birth, add or change the social name, telephone number, address, in addition to declaring the death of the victim. It is also possible to add birth, marriage and other certificate data.

Access also allows you to change the RG and social registration number fields, in addition to inserting or removing the photograph that is on the file.

The people behind this scam are credentialed system operators, not hackers. Employees, including doctors, associate with criminals and sell passwords.

The transfer of accesses constitutes a crime of embezzlement, when public servants take advantage of their role to obtain an undue advantage, explains Fernanda Prates, lawyer and professor at FGV-Rio (Fundação Getulio Vargas).

In addition to this crime, the civil servant can be accused of inserting or facilitating the insertion of false data, improperly altering or deleting correct information in public administration databases, which carries a penalty of 2 to 12 years and a fine.

“[Neste caso] it doesn’t enter the data directly, but it makes it easier for third parties to make this modification,” says Prates.

The sale of accesses is a scheme known by the authorities. In September 2020, the Federal Police carried out an operation to arrest a person who was selling CadSUS passwords. The investigation began in November 2019 and is ongoing.

At the beginning of November, the data on the vaccination certificate of scientific popularizer Átila Iamarino were changed on the Connect SUS platform, managed by the Ministry of Health. server.

Danilo Doneda, lawyer, professor at the IDP (Brazilian Institute of Education, Development and Research) and member of the National Data Protection Council, says that this is a problem arising from the construction of the SUS system. The system gives autonomy to employees in order to increase the reach of health services, but it opens up loopholes for this type of crime.

This year, there were cases of politically exposed people who had their data changed in their registration forms in the SUS. Federal deputy and PT president Gleisi Hoffmann (PT) and former federal deputy Manuela D’ávila had their deaths registered in the system.

Hits with the purpose of practicing a stunt, however, tend to be more frequent.

“I imagine the most obvious things are to defraud Social Security and Social Security systems, and some other things that can be made easier with that kind of documentation, like fraud in the financial system, because you’re going to have a document with some kind of public faith” , says Doneda.

The way of acting is similar to that of criminals who carry out the sale of consultation panels, as shown by a report from leaf. Employees of public agencies from Senatran, SUS, Federal Police, Revenue and INSS provide access that allows the creation of a database of Brazilians registered in these locations. As with the E-SUS registration, the panels only allow consultation.

Unauthorized access to personal data registered in the system and changes in the records violate the LGPD (General Data Protection Law).

The legislation obliges information holders to protect data from unauthorized access, in addition to determining that, in case of leaks, all those involved are notified and measures are taken to reduce the damage.

In addition, the holder of personal data has the right to petition against the controller before the ANPD (National Data Protection Authority). You may also object to the way your information is handled.

The Ministry of Health declares that it forwarded the contents raised by the leaf –videos and addresses of the advertisements’ websites– to the DataSUS Information Security team, “which is taking the necessary steps to open the process with the competent authorities and due investigation”.

The folder claims that it blocks the responsible operator’s credentials whenever an irregularity is notified and corrects the data of victims of criminal practices, in addition to constantly monitoring systems and access to databases.