Brazil’s largest professional association suffers massive data leak

November 23, 2018 TH Author

Brazil’s Federation of Industries of the State of São Paulo (FIESP) is being accused of exposing millions of personal data records from three of its databases online.

FIESP represents about 130 thousand companies and is the largest class entity in the Brazilian industrial sector. The records leaked included names, ID and social security numbers, as well as full addresses, emails and telephone numbers.

Bob Diachenko, a security researcher at white hat hacker ecosystem Hacken Proof, claims to have discovered three databases containing personal records that could be accessed through the Elasticsearch search engine on November 12. The largest data source had 34.8 million entries.

According to Diachenko, the data was open for consultation by anyone and had been openly available online for several days.

The researcher claims to have tried contacting FIESP to warn the industry body of the occurrence to no avail. After the leak was first made public by Hacken Proof on Twitter, a Brazilian follower got in touch with the organization to inform them about the data leak and only then the database went offline.

In a statement, FIESP said it is “investigating the alleged access to its database by a company that claims to work in digital security,” but it has pretty much denied that anything serious has happened at all.

The trade body argued that the databases Hacken Proof is talking about didn’t contain sensitive information or passwords and that “so far, there is no news that any personal information from the database has been exposed.”

“FIESP contacted [Hacken Proof], who said it had not made the data public and subsequently destroyed the information that it claims to have had access to. [Hacken Proof] also stated that its objective was to expose possible vulnerabilities to prevent potential leaks.”

The Brazilian Public Prosecutor’s Office is currently investigating the data leak. Brazil is yet to implement its own data protection legislation, which among other things will aim to hold public and private organizations accountable for personal data exposure.