A total of 2,112 customers of Logbank Soluções em Pagamentos had Pix key data leaked, the Central Bank (BC) reported today (3). This was the third data breach since the launch of the instant payments system in November 2020.
According to the BC, the leak occurred in registration data, which do not affect the movement of money. Data protected by bank secrecy, such as balances, passwords and statements were not exposed.
The incident took place on January 24 and 25 and exposed the following data: user name, Individual Taxpayer ID (CPF), relationship institution and account number. All people who have had information exposed will receive notices, but the BC did not say how victims will be notified. According to the BC, the National Data Protection Agency (ANPD) was also notified.
Data exposure does not necessarily mean that all information has been leaked, but that it has been visible to third parties for some time and may have been captured. The BC informed that the case will be investigated and that sanctions may be applied, such as a fine, suspension or even the exclusion of Logbank from the Pix system.
Reply
LogBank is an electronic payments company that operates in the Business-to-Business-to-Consumer (B2B2C) segment. In this model, the industry sells directly to the consumer, but the sale is facilitated by another business (distributor, retailer or wholesaler), including the entire commercial chain.
By means of a note, Logbank reported that it suffered a hacking attempt on its digital platforms on January 24 and 25. However, the company said the attack on the data was contained by security teams and that no customers suffered financial loss. The company highlighted investments in security and technology and said that customer resources “are and always have been under maximum surveillance and security.”
“The incident was detected and controlled instantly by security tools and teams. No sensitive data was leaked and there was no undue financial movement or financial loss to customers related to this incident, whose scope remained extremely limited”, highlighted the company.
This was the third incident of Pix data leaks since the system was created in November 2020. In August, the leak occurred of data 414.5 thousand Pix keys per telephone number of the Bank of the State of Sergipe (Banese).
On the 21st, it was the turn of 160,100 customers of Acesso Soluções de Pagamento have leaked information. In both cases, registration data were leaked at the time, without exposing passwords and bank balances.
Initially, BC had reported that the Banese leak had reached 395,000 keys, but the figure was later revised. By determination of the General Data Protection Law, the monetary authority keep a page in which citizens can monitor incidents related to the Pix key or other personal data held by the BC.
Article updated at 6:30 pm to add LogBank’s positioning.
