Pierluigi Paganini December 13, 2018

InfoArmor discovered a misconfigured server online that contained taxpayer identification numbers for 120 million Brazilian taxpayers

In March 2018, security experts at InfoArmor discovered a misconfigured server online that contained taxpayer identification numbers, or Cadastro de Pessoas Físicas (CPFs), for 120 million Brazilian nationals. It is not clear how long data remained exposed online or who accessed them.

Every Brazilian national has assigned a taxpayer identification number that allows him to perform ordinary operations, such as opening a bank account, paying taxes, or getting a loan.

Experts discovered the file index.html_bkp on the Apache server (likely a backup of the index.html), which caused the web server to display the list of the files and folder stored in that folder and download them.

The folder included data archives ranging in size from 27 megabytes to 82 gigabytes.

Experts at InfoArmor discovered that one of the archive contained data related to Cadastro de Pessoas Físicas (CPFs), personal information, military info, telephone, loans, and addresses. 

“CPFsare an identification number issued by the Brazilian Federal Reserve to Brazilian citizens and tax-paying residentaliens, and each exposed CFP linked to an individual’s banks, loans, repayments, credit and debit history, voting history, full name, emails, residential addresses, phone numbers, date of birth, family contacts, employment, voting registration numbers, contract numbers, and contract amounts.” reads the report published by InfoArmor.

Experts believe that directory was used to store database backups. While InfoArmor was attempting to report the discovery to owner of the database, someone replaced the 82 GB file a raw 25 GB .sql file.

“In the days following the initial discovery, InfoArmor’s research team attempted to determine who owned the server so they could be notified. During this time, InfoArmor observed that one of the files, an 82 GB file, had been replaced by a raw .sql file 25 GB in size, though its filename remained the same.” continues the report.

“This swap suggests a human intervened. It is possible that a server administrator had discovered the leak, however the server remained unsecured for weeks after this swap”

InfoArmor was any way able to contact the hosting provider that secured the directory by the end of March.

A question remains without response, why this kind of data was exposed a third-party server.

“It is safe to assume that any intelligence organization or cybercrime group with reasonable collection capabilitiesand expertise will have captured this data. This data could very likely be used against the population of Brazil, thenation of Brazil, or any nations hosting people who have a CFP.” concludes InfoArmor.

Pierluigi Paganini

(Security Affairs – Brazilian Taxpayers, data leak)

[adrotate banner="5"]

[adrotate banner="13"]