A crowd of people seen through a window showing the citizen data of 92 million Brazilians is offered for sale on underground forum
Citizen Data of 92 Million Brazilians Offered for Sale on Underground Forum by Scott Ikeda

Citizen Data of 92 Million Brazilians Offered for Sale on Underground Forum

When sensitive personal data is stolen, the world at large is often not aware of it until it appears for sale on the dark web. Such is the case of a database that recently appeared on an underground forum that appears to contain the personal data of 92 million citizens of Brazil. The hacker is offering not just the database for sale, but also to look up specific citizen data upon request.

Where did this Brazilian citizen data come from?

This massive trove of citizen data is a mystery at present. There have been no public announcements of data breaches recently that would correspond to this information.

Research by BleepingComputer indicates that the data is legitimate, however, and may have been stolen from the Department of Federal Revenue of Brazil and consist of information on employed taxpayers in the country. Brazil’s population is estimated to be about 210 million, so this would mean that nearly half of the residents of the country have been exposed. The 92 million entries in the database would also match census estimates that put the working population of the country at about 93 million people.

The database contains full names, dates of birth, home province, driver’s license and taxpayer ID numbers. Some records contain additional details such as business registration information, phone numbers, license plate numbers, familial relations and dates of death.

BleepingComputer confirmed that the information available through the hacking forums was in an SQL database of about 16 GB in size, and that accurate information about known individuals could be looked up.

The seller is running an auction that spans multiple underground forums, with a starting bid price of $15,000 USD and a minimum bid increase of $1,000. For a smaller fee of $150 USD, the seller also offers to look up information on a specific individual.

Vendor compromise is always a possibility, as was demonstrated by the early 2018 leaks of the Indian national identity database. That breach was caused by a utility company that had access to the personal information of the country’s 1.1 billion citizens. However, at the moment there is no word as to how the Brazil citizen data made its way to the underground forum.

Whatever the case, the data stolen is everything that threat actors could want for committing identity theft. This level of personal information is sufficient to perpetrate social engineering attacks to gain access to bank accounts, as well as open up new credit cards.

Brazil’s data protection laws

Ultimately, the identity of the responsible party may not matter much. As Jonathan Deveaux, head of enterprise data protection with comforte AG, points out:

“The data from the 92 million Brazilian citizens being auctioned in the underground forum would fall in the category of requiring protection under the Brazilian General Data Protection Law (“Lei Geral de Proteção de Dados” or “LGDP”).  Unfortunately, the law does not go into effect until August 15, 2020, a 6-month extension from the previous February 2020 date.”

Until August 2020, Brazil’s existing patchwork of legislation remains in place. What current privacy protection legislation exists is drawn in bits and pieces from various bills – primarily the Brazilian Internet Act, along with certain elements of the Brazilian Civil Code and the Consumer Protection Code. These laws are generally more concerned with regulating ISPs and laying out requirements for them to store data for law enforcement and allow government access. It is unclear if citizens of Brazil will have any kind of legal redress in this matter until the new laws take effect in a little under a year.

Underground forums establishing the value of personal data

One of the biggest battles in establishing national data privacy regulations is in getting career politicians, who are often not particularly tech-savvy, to recognize and acknowledge the value of citizen data. Politicians do not always understand the destructive potential of these breaches because they do not understand the modern capabilities that threat actors have. The prices these databases are selling for on underground forums may help to finally clue some reticent leaders in.

As Deveaux observes: “There’s one thing technology leaders can take from hackers and threat actors – which is the value of data. On the Dark Web and underground forums, data has value –  so much that threat actors are willing to commit a crime to acquire it, and then another crime to sell it.

“When technology leaders adopt a stronger view that ‘personal data has value,’ they might do more or invest more to protect it and keep it private. However, with wave of data privacy regulations popping up around the world, organizations are going to have to protect data and privacy, whether the organization considers it valuable or not. Data privacy is shifting to focus on the consumer. Under Article 18 of the LGDP, consumers have rights for their data, and organizations need to ensure personal data is anonymized, redacted, or eliminated.”

The theft of the Brazil citizen data shows how damaging the “kick the can down the road” attitude can prove to be. The personal information of nearly every working adult in the country is now available to the general public via an underground forum, which is going to be a much larger problem to fix than whatever effort it would have taken to implement data protection regulations and practices in a more timely manner.

Best practices for government database protection

It’s important for world governments to formally recognize the need for citizen data protection in both the public and private sectors, but it’s also important to implement effective security measures. What should those measures look like?

Devaux sees a future centered on limited-use anonymized tokens: “An emerging best practice among many technology leaders is to adopt a data-centric security approach, which protects personal data with anonymization technology like tokenization. Not only does tokenization allow organizations to meet compliance requirements and remain secure, but tokenization also allows organizations to securely embrace modern technology like hybrid or multi-cloud computing, which has been scrutinized as having major data security gaps.”

In general, the process of securing citizen data at government agencies should not differ much from the best practices seen in the private sector. In some cases, methods should actually be easier to implement. For example, employee training is vital as the #1 method of passing malicious software is the tried-and-true phishing email. As government organizations do not have investors to answer to that create budget pressures and a more straightforward hierarchical organization, it should be easier to implement system-wide protocol changes and mandatory training once the will to do so is present at the top.