Thousands of IDs exposed in yet another data breach in Brazil

Immediately upon discovery, Group-IB’s Computer Emergency Response Team (CERT-GIB) alerted Brazil’s cybersecurity authorities about the incident. The case highlights the importance of rapid threat intelligence exchange and collaboration between the CERTs all over the world – the information provided by CERT-GIB was actioned swiftly. Within ten hours, the server was taken offline.

This was not the first time Brazilians’ sensitive data ended up available to the public. In 2020, personal records of over 243 million Brazilians were exposed. As the world goes digital, the security risks of online identity verification are becoming more pervasive. The incident demonstrates why government and private sector organizations that process sensitive personal data need stringent cybersecurity measures, including threat intelligence and hunting operations in place, to avoid financial losses, reputational damage, and data breaches.

At the end of this post, cybersecurity professionals can find recommendations and remediation techniques to avoid and address similar incidents.

How Group-IB uncovered the breach

As part of Group-IB’s Threat Intelligence gathering processes, the entire IPv4 internet space is scanned continuously for anomalies, signs of suspicious and malicious activity, misconfiguration causing digital assets to be exposed to a wider public. Automated tools assess online resources and identify high-risk infrastructure that requires further evaluation.

In this case, a publicly accessible server hosted in the US with the directory listing function enabled was discovered on 8th January. Disabling directory listing on a web server is a normal security precaution to avoid the exposure of sensitive information. However, this was not the case. Anyone on the internet could access the server’s contents.

Within the directory, several files were found, including a 27 GB zip-archive containing more than 20,000 Brazilian citizens’ ID selfies, a custom web crawling script written in Python, and an open source web tunneling tool.

Server directory

Based on the archive’s last modification date, Group-IB’s analysts concluded that the file had been uploaded to the server no later than November 2021.

A crawler script, used for data collection, also caught Group-IB team’s attention. As its code examination revealed, the crawler connected to one of the Brazilian government portals. The crawler’s developer left a little more in the source code. Group-IB analysts spotted a phrase in Portuguese which says “Deu erro aqui nessa merda!” (ENG: “You got this s*** wrong”).

The server in question was located outside of Brazil.

Given all the above evidence, it is fair to assume that the server appears to have been used by an authorized third party as a staging area while they gathered sensitive personal information with unclear but most likely malicious intent. However, it is not clear what was the end goal of the party that collected sensitive data.

The privacy dangers of digital verification

Personal ID discovered on the server is the Cédula de identidade, the national identity document in Brazil, commonly referred to as ‘carteira de identidade’ or simply “RG” (from Registro Geral, General Registry). The card contains the name of the bearer, filiation, place of birth, date of birth, signature and thumbprint of the bearer and, optionally, CPF number (‘Cadastro de Pessoas Físicas’), the country’s individual taxpayer registry identification.

The identity card is used for a number of private and public purposes including obtaining a driver’s license, opening a bank account, buying or selling real estate, financing debts, applying for a job, giving testimony in court, and entering some public buildings. The card can also be used for travel between Mercosur member countries and associates (except Guyana and Suriname).

Around the world, many organizations are implementing digital verification processes as they undergo digital transformation, making the services available via mobile apps or web portals. For the end-user, this model can be appealing; it is a fast and easy way to sign up for services, completely removing the need to visit a physical point of presence. However, when the data is not managed properly without cyber security considerations in mind, it is almost inevitable that personal information will be exposed. Digital Verification based on selfies has been gaining momentum in recent years and is used on everything from dating apps to tax returns. Just in February, the US IRS had to walk back their use of selfie-based ID.ME amidst a storm of privacy concerns.

Risks of having personal such information exposed vary for users and companies.

For the individuals that had their personal information exposed, they are at risk of:

• Identity theft
• Account takeover
• Extortion
• Spear phishing attacks
• Theft of money

The organizations that experienced the data breach can also be at risk of:

• Financial loss
• Legal action
• Reputational damage
• Operational downtime
• Response and recovery costs
• Disclosure announcements if there is a breach

Upon the discovery, Group-IB’s Computer Emergency Response Team (CERT-GIB) immediately took steps to remediate the risks, and within 10 hours the server was taken offline by the Brazil’s cybersecurity authorities.

Why Group-IB reported this breach

Group-IB’s mission is to fight against cybercrime. As part of this mission, Group-IB continuously scans the internet for unsecured databases containing private and personal information. When we uncover unsecured data, we immediately take steps to mitigate the risks to users, organizations and government departments.

Under a responsible disclosure protocol, Group-IB always does its best to reach out to the affected parties so they can take the necessary steps to eliminate the threat. Typically, Group-IB launches an investigation to determine who the owner is, what information is at risk, who is affected, and the potential impact on data subjects. After identifying whoever is responsible for an exposed database, we utilize our contacts in the security community, including CERTs, law enforcement partners and threat analysts, to alert the appropriate parties to secure the data as quickly as possible.