The Central Bank announced this Friday (13) that 5,290 Pix keys belonging to Banco Agibank SA customers had their data exposed. It was the 21st incident with Pix data since the launch of the instant payment system, in November 2020, and the first in 2026.
According to the BC, the exposure took place from December 26, 2024 to January 30, 2025 and covered the following information: user name, CPF with mask (CPF partially covered with asterisks), relationship institution, agency, account number and type.
The incident, pointed out the BC, occurred due to specific failures in the payment institution’s systems. The leak occurred in registration data, which does not affect the movement of money. Data protected by banking secrecy, such as balances, passwords and statements, were not exposed.
Although the case did not need to be reported due to the low potential impact on customers, the municipality clarified that it decided to publicize the incident in the name of “commitment to transparency”.
All people who had information exposed or leaked will be notified through the institution’s application or internet banking. The Central Bank highlighted that these will be the only means of warning for the exposure of Pix keys and asked customers to disregard communications such as phone calls, SMS and notices via messaging apps and email.
Data exposure does not necessarily mean that all information has been leaked, but that it has been visible to third parties for some time and may have been captured. The leak indicates that someone actually consulted the data. The BC informed that the case will be investigated and that sanctions may be applied. The legislation provides for a fine, suspension or even exclusion from the Pix system, depending on the severity of the case.
In all 21 incidents with Pix keys recorded so far, registration information was exposed, without exposing passwords and bank balances. As determined by the General Data Protection Law, the monetary authority maintains a page where citizens can follow incidents related to the Pix key or other personal data held by BC.
THE Brazil Agency try to contact Agibank and will include the institution’s response as soon as it receives any response.
