[BreachExchange] Citizen Data of 92 Million Brazilians Offered for Sale on Underground Forum

Nora Butkovich nora at riskbasedsecurity.com
Fri Oct 11 16:11:56 EDT 2019


https://www.cpomagazine.com/cyber-security/citizen-data-of-92-million-brazilians-offered-for-sale-on-underground-forum/

When sensitive personal data is stolen, the world at large is often not
aware of it until it appears for sale on the dark web. Such is the case of
a database that recently appeared on an underground forum that appears to
contain the personal data of 92 million citizens of Brazil. The hacker is
offering not just the database for sale, but also to look up specific
citizen data upon request.

Where did this Brazilian citizen data come from?

This massive trove of citizen data is a mystery at present. There have been
no public announcements of data breaches recently that would correspond to
this information.

Research by BleepingComputer indicates that the data is legitimate,
however, and may have been stolen from the Department of Federal Revenue of
Brazil and consist of information on employed taxpayers in the country.
Brazil’s population is estimated to be about 210 million, so this would
mean that nearly half of the residents of the country have been exposed.
The 92 million entries in the database would also match census estimates
that put the working population of the country at about 93 million people.

The database contains full names, dates of birth, home province, driver’s
license and taxpayer ID numbers. Some records contain additional details
such as business registration information, phone numbers, license plate
numbers, familial relations and dates of death.

BleepingComputer confirmed that the information available through the
hacking forums was in an SQL database of about 16 GB in size, and that
accurate information about known individuals could be looked up.

The seller is running an auction that spans multiple underground forums,
with a starting bid price of $15,000 USD and a minimum bid increase of
$1,000. For a smaller fee of $150 USD, the seller also offers to look up
information on a specific individual.

Vendor compromise is always a possibility, as was demonstrated by the early
2018 leaks of the Indian national identity database. That breach was caused
by a utility company that had access to the personal information of the
country’s 1.1 billion citizens. However, at the moment there is no word as
to how the Brazil citizen data made its way to the underground forum.

Whatever the case, the data stolen is everything that threat actors could
want for committing identity theft. This level of personal information is
sufficient to perpetrate social engineering attacks to gain access to bank
accounts, as well as open up new credit cards.

Brazil’s data protection laws

Ultimately, the identity of the responsible party may not matter much. As
Jonathan Deveaux, head of enterprise data protection with comforte AG
<https://www.comforte.com/>, points out:

“The data from the 92 million Brazilian citizens being auctioned in the
underground forum would fall in the category of requiring protection under
the Brazilian General Data Protection Law (“Lei Geral de Proteção de Dados”
or “LGDP”).  Unfortunately, the law does not go into effect until August
15, 2020, a 6-month extension from the previous February 2020 date.”

Until August 2020, Brazil’s existing patchwork of legislation remains in
place. What current privacy protection legislation exists is drawn in bits
and pieces from various bills
<https://privacyinternational.org/state-privacy/42/state-privacy-brazil?PageSpeed=noscript>
–
primarily the Brazilian Internet Act, along with certain elements of the
Brazilian Civil Code and the Consumer Protection Code. These laws are
generally more concerned with regulating ISPs and laying out requirements
for them to store data for law enforcement and allow government access. It
is unclear if citizens of Brazil will have any kind of legal redress in
this matter until the new laws take effect in a little under a year.

Underground forums establishing the value of personal data

One of the biggest battles in establishing national data privacy
regulations is in getting career politicians, who are often not
particularly tech-savvy, to recognize and acknowledge the value of citizen
data. Politicians do not always understand the destructive potential of
these breaches because they do not understand the modern capabilities that
threat actors have. The prices these databases are selling for on
underground forums may help to finally clue some reticent leaders in.

As Deveaux observes: “There’s one thing technology leaders can take from
hackers and threat actors – which is the value of data. On the Dark Web and
underground forums, data has value –  so much that threat actors are
willing to commit a crime to acquire it, and then another crime to sell it.

“When technology leaders adopt a stronger view that ‘personal data has
value,’ they might do more or invest more to protect it and keep it
private. However, with wave of data privacy regulations popping up around
the world, organizations are going to have to protect data and privacy,
whether the organization considers it valuable or not. Data privacy is
shifting to focus on the consumer. Under Article 18 of the LGDP, consumers
have rights for their data, and organizations need to ensure personal data
is anonymized, redacted, or eliminated.”

The theft of the Brazil citizen data shows how damaging the “kick the can
down the road” attitude can prove to be. The personal information of nearly
every working adult in the country is now available to the general public
via an underground forum, which is going to be a much larger problem to fix
than whatever effort it would have taken to implement data protection
regulations and practices in a more timely manner.

Best practices for government database protection

It’s important for world governments to formally recognize the need for
citizen data protection in both the public and private sectors, but it’s
also important to implement effective security measures. What should those
measures look like?

Devaux sees a future centered on limited-use anonymized tokens: “An
emerging best practice among many technology leaders is to adopt a
data-centric security approach, which protects personal data with
anonymization technology like tokenization. Not only does tokenization
allow organizations to meet compliance requirements and remain secure, but
tokenization also allows organizations to securely embrace modern
technology like hybrid or multi-cloud computing, which has been scrutinized
as having major data security gaps.”

In general, the process of securing citizen data at government agencies
should not differ much from the best practices seen in the private sector.
In some cases, methods should actually be easier to implement. For example,
employee training is vital as the #1 method of passing malicious software
is the tried-and-true phishing email. As government organizations do not
have investors to answer to that create budget pressures and a more
straightforward hierarchical organization, it should be easier to implement
system-wide protocol changes and mandatory training once the will to do so
is present at the top.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20191011/31683d89/attachment.html>


More information about the BreachExchange mailing list