Around 137,300 Pix keys from customers of Abastece Ai Clube Automobilista Payment Ltda. (Abastece Aí) had leaked data, informed the Central Bank (BC) today (16). This was the fourth data breach since the launch of the instant payments system in November 2020.
As a customer can have more than one Pix key, BC reported that the total number of people (individuals and companies) affected reaches 137,122. Each individual can have up to five keys for each account and each legal entity can have up to 20.
According to the BC, the leak occurred in registration data, which do not affect the movement of money. Data protected by bank secrecy, such as balances, passwords and statements, were not exposed.
The incident took place between July 1st and September 14th and exposed the following data: user name, Individual Taxpayer ID (CPF), relationship institution, agency, account number and type, date of creation of the Pix key. All people who had information exposed will be notified through the Access app or the internet banking of the institution.
The Central Bank stressed that these will be the only means of notice for the exposure of Pix keys and asked customers to disregard communications such as phone calls, SMS and notices by messaging apps and by email.
Data exposure does not necessarily mean that all information has been leaked, but that it has been visible to third parties for some time and may have been captured. The BC informed that the case will be investigated and that sanctions may be applied, such as a fine, suspension or even the exclusion of Abastece Aí from the Pix system.
positioning
In a note sent to Brazil Agency, Abastece-aí reported that “due to the security incident, of which it was a victim, it has already blocked suspicious activities”. The company stressed that no passwords, transaction information, financial balances or any other information under bank secrecy were exposed. “Potential information improperly accessed from Pix is registration data, not allowing movement of resources, nor access to accounts or other financial information. The company reinforces that all appropriate measures for this investigation are already being taken”, says the note.
Historic
This was the fourth incident of Pix data leaks since the system was created in November 2020. In August of last year, data leak occurred 414,500 Pix keys per telephone number of Banco do Estado de Sergipe (Banese). Initially, BC had reported that the Banese leak had reached 395,000 keys, but the figure was later revised.
On the 21st, it was the turn of 160,100 Access Soluções de Pagamento customers have leaked information. In early February, 2,100 Logbank Payments customers also had their data exposed.
In the three previous cases, registration data were leaked, without exposing passwords and bank balances. By determination of the General Data Protection Law, the monetary authority maintains a page where citizens can follow incidents related to the Pix key or other personal data held by the BC.
Article updated at 19:01 to increase the company’s positioning
