Criminals sell access to the complete data of millions of Brazilians for R$ 200

The complete data of millions of Brazilians are exposed on the internet on websites that can be accessed by anyone willing to pay a monthly fee that varies around R$ 200.

They are criminal pages that bring together records leaked from CadSUS, Senatran (National Traffic Department), Federal Revenue Service, INSS (National Social Security Institute), private company Boa Vista and Sinarm (National Weapons System), Police Federal.

All information is organized in what sellers present as “panels”. To access them, you need a login and password. Available data include full name, address, CPF, ID, name of parents and siblings, approximate income, photo and CNH signature (if you have the latest model) and social benefits, among others. It is even possible to know if there is an arrest warrant in the person’s name.

These trades do not take place on deep web forums, as is often the case with many illegal transactions. In the case of panels, sales are made through conversations on Facebook on the so-called surface web, the internet layer where content can be found easily by any user.

Without identifying themselves and pretending to be interested, the sheet contacted some sellers of these panels, which he had access to free of charge to test the program.

According to Roselle Soglio, criminal lawyer and professor of criminal law and criminal procedure, both those who sell the accesses and those who buy, commit crimes. They can be charged under Articles 153 and 154 of the Penal Code, which deal with the dissemination of private content and invasion of digital devices.

“The law of digital crimes applies as much to those who let the data leak as to those who accessed it illegally”, he says.

The report visited two panels. Both promised wide access to Brazilian data, but with some technical differences: one of the sites allowed more sophisticated cross-referencing of information and had fewer flaws during searches.

To verify the veracity of the panels, the report used data from volunteers and companies that, for security reasons, will not be identified. All searched information was found.

Sellers say that they pull the data through logins of employees of government agencies, generating undue access to the institutions’ systems. There are permanent updates at intervals ranging from a few days to about a month.

Soglio explains that by selling passwords, employees commit the crime of embezzlement. “In this case, there is also a crime against the public administration. There is an aggravating factor because they should protect this data”, he says.

The panels offer the crossing of information such as zip code, name and income, creating a profile of victims, which facilitates the action of assailants, for example. It is enough to establish a minimum income in a street for the system to return a list of residents who declare values ​​close to that amount.

They also cross data from the Federal Revenue, INSS and Boa Vista to estimate loan amounts to be released on behalf of victims. They also inform if they already have credit approved. Estimates include dead people.

The site also provides data on payroll-deductible loans for retirees, civil servants and the military. To get the data, just access the INSS, Siape (Integrated Personnel Administration System) or Army base registered in the system.

The search can be based on any information the criminal has about the person, be it the CPF, full name, the company he works for or the registration number of the institution he is linked to.

In the case of companies, through the CNPJ it is possible to access the name, CPF and other personal data of employees. The dashboards also offer a tool that shows the company’s vehicle fleet.

Some information, however, is outdated or approximate, such as income and credit rating agencies.

According to Fabro Steibel, executive director of the ITS (Institute of Technology and Society), the panels allow criminals to specialize in one type of scam. “If I have a person’s data, I will not create an illicit business to apply scams. If I have 200 million people, I create a little robot and start sending messages”, he says, taking as an example boletos and WhatsApp scams .

The researcher claims that the leak creates a great risk for the state, since, with artificial intelligence, it is possible, for example, to obtain data from police officers across the country.

Another problem is that the leaked data from the Federal Police belong to Sinarm, which makes it possible to know the weapons linked to the person’s CPF. Through the search, it is possible to know all the information about the weapons, as well as the address and other personal data, which facilitates criminal actions and the diversion of firearms.

“There are also politically exposed people. If I do a search only for exposed people, I have a very rich search for clients to extort,” says Steibel.

According to Celina Bottino, director of the ITS (Institute of Technology and Society) and a specialist in technology and human rights, it would be necessary to limit employees’ access to the data strictly necessary for them to carry out their duties

“The State, as the largest repository of personal data, more than anyone else, has to put all the protections arising from legal obligations in place,” says Bottino.

In the case of leaks, the LGPD (General Data Protection Law) determines that all affected individuals are notified of compromised data, the risks related to the incident and the measures taken to mitigate the damage.

The sanctions for institutions that do not comply with the legislation range from a warning to a ban on activities related to the database involved, in addition to a fine, which can reach up to R$50 million.

In response to the article’s questions, the Federal Police informs that there was access to the system through the improper use of a username and password and not due to a technical failure.

“The PF emphasizes that it uses state-of-the-art technology in data protection, however improper access to a database, with the use of a username and password, is outside the scope of the protection technique”, he says, in a note.

The Ministry of Health claims that it is not aware of accusations of access through valid credentials and that it constantly monitors CadSUS.

“If any irregularity is found, access to the credential is suspended and the competent bodies are duly informed so that the necessary measures can be taken”, he declares, in a note.

The INSS declares that “personal information and information about benefits are considered confidential, and may only be provided to the person who owns the data or to any legal representative specified by law”. It also says that it works to ensure users’ safety. The institute did not respond whether it was already aware of the leaks or whether it will notify the affected public.

The Internal Revenue Service claims that its databases were not leaked.

Senatran declares that so far it has not identified any evidence of data leakage from its data processing base. He claims that, if the allegation of access sales by employees is confirmed, this is a criminal practice, which will be investigated by the police authorities.

Boa Vista claims that there were no unauthorized accesses to the systems and database under its responsibility. The company clarifies that access capable of generating credit reports is the responsibility of the customers and that the sale of this data is contractually prohibited.

The ANPD (National Data Protection Authority) informs that there is no inspection process in progress that relates to the panels and that it will be necessary to verify whether the leaks are due to previous or new incidents. It also says that institutions have a duty to present the “Security Incident Notice”, so that the authority is aware of the leak.

See some leaked data