UK credit firm, Experian, has confirmed it is conducting an investigation into a massive data breach in Brazil. Millions of people’s data are being illegally sold online, and the breach could be connected to Serasa, Experian’s Brazilian subsidiary.
The breached data being sold includes Social Security details, photographs, social media information, and vehicle registrations. Serasa does not collect this type of data, so Experian claims that their security has not been compromised.
However, despite Experian down-playing any security issues, the market did not seem to be buying their story. Shares in the corporation dropped 2% following the news of the breach.
Brazilian news media outlets report that over 200 million people’s personal data may have been involved in the breach. However, no-one is giving definite indications of where the breach originated.
This latest incident is not the only security breach Brazil has suffered recently. Around one year ago, health insurance provider, Hapvida, was the victim of a cyberattack that put its customers’ data at risk. Embraer, a plane manufacturer, based in São Paulo, was targeted by cybercriminals in another cyber-security breach.
The attack on Experian is not the first time a credit agency has been targeted. In 2019, American credit agency Equifax settled a claim for a data breach of its customers two years previously. Settling the claim cost the company $700 million.
Unfortunately, many emerging economy nations with large populations, such as Brazil, tend to have fledgling cybersecurity procedures. They create massive databases full of personal information, but these generally come with little attention placed on cybersecurity.
The recent incident, allegedly involving Serasa Experian, is the largest security breach any Brazilian organization has suffered. It is the sheer scale of the violation that leads many experts to point at the credit-scoring agency.
It is challenging to understand how such a leak could occur, given that Brazil has only recently adopted its LGPD (Law for the Protection of Personal Data). Of course, having a law is only the first step to providing personal data protection. It is the implementation and enforcement of such laws that make the difference.
However, there is some skepticism around the LGPD. Indeed, an attitude of security around personal data must be embedded into businesses and organizations’ culture. Otherwise, any laws are merely for show and have little weight.
For instance, Brazilian authorities currently offer scant advice on how to conduct audits of personal databases. However, they have plans to create a digital identity system for its citizens. This move may be another small step on the path of Brazil giving teeth to its cybersecurity laws.
What is for sure, there is still much work to be done. Many Brazilian organizations remain unaware of the new law protecting personal data. Also, Brazil has an acute shortage of qualified cybersecurity professionals. Addressing these two issues is critical if Brazil is to avoid similar data security breaches like those they’ve recently suffered.