Brazil’s Shocking Doxing

Dayton Williams
Brown Technology Review
5 min readMar 16, 2021
‘Photo of Grey Faucet’ by Luis Quintero from Pexels. Image created by Dayton Williams.

An old Brazilian proverb wisely warns, “o bombocado não é para quem o faz, mas para quem o come,” which roughly translates to “the cake is not for the one who makes it but for the one who eats it.” In our 21st Century digital economy, an individual’s data is one of the greatest driving forces of economic pursuit, government interest, and criminal attraction. Personal data, like the aforementioned proverbial cake, overwhelmingly benefits the consumers of data, never its producers. It should come then as no surprise that powerful data sets, from Big Tech to Big Brother, enrich and empower those who aggregate and exploit large amounts of personal data while imperiling those whose data is being amassed. Corporate technocrats and federal bureaucrats who manage prolific data sets of personal data can easily overlook the grave individual implications of amassing citizen data en masse. Nowhere is the risk of state and corporate data collection more explicit to the everyday person than when these massive personal data banks are leaked.

In January 2021, Brazil witnessed the largest personal data leakage in its history, the proportions of which are absolutely mind-boggling. In a country with a population of roughly 211 million people, a data set of 220 million Brazilian citizens was found for sale on the dark web. The data set, which covered Brazilian citizens both alive and deceased, captured every meaningful piece of data one could have on an individual: full name, unique tax ID, date of birth, names of all first-degree relatives, credit score, personal address, place of employment, social media handles, and more. Armed with this information, criminal elements can wrest control of Brazilian bank accounts, snatch up sensitive data to fuel blackmail schemes, and even assume a victim’s identity to take out fraudulent loans and open credit cards. Anonymous sellers on the dark web are currently charging from $0.08 to $1.00 in Bitcoin to download Brazilian personal information, depending on the quantity of personal data purchased. The still-unfolding narrative of the 2021 data leak runs in parallel to the larger theme of Brazil’s expeditious migration to the internet.

Brazil is an emerging digital economy and a dynamic case study in rapid consumer internet adoption. This flurry of online activity in e-commerce and online banking has unfortunately corresponded with a meteoric rise in Brazilian cybercrime activity. The underground Brazilian hacking community is both one of the world’s largest in terms of estimated membership and the most prolific in terms of fraud targeting Brazilian citizens. A study by PSafe, Brazil’s leading data security firm, found that one of every five Brazilians had reported being victims of identity theft in May of 2019. The study only accounts for those Brazilians who know their identity has been stolen, which means the number of Brazilians with a compromised identity is likely much higher. Coupled with a global rise in online banking fraud, the massive January 2021 data leak will enable hackers and fraudsters to wreak havoc on the personal and financial lives of Brazilian citizens. An especially frightening aspect of the leak is its completeness. Marco DeMello, president of PSafe, described the content as “scary” and warned how criminals can easily “assume the identity of their victims, create debt and download deeds on their victim’s behalf… there are several crimes that can be committed with this complete range of data.”

At the time of writing, Brazilian authorities and watchdog agencies have not yet assigned blame to a specific individual or group for the data leak. There are, however, several clues that point to Brazil’s credit bureau-equivalent Serasa SA, which is managed by Experian, as the source of the leak. For one, the 37 available dark web data sets are impressively complete, which hints that the source of the leak was a large, trusted organization that professionally managed a significant portion of the Brazilian public’s data. The amount of work required to stitch together such a large quantity of high-quality data is itself impractical, and the low selling point further suggests that the data was acquired with relatively little effort. An even more incriminating hint to the Serasa SA source theory is that the data was organized by a credit score segmentation model called “Mosaic” that is used exclusively by Serasa. Experian defended Serasa SA in a statement, alleging that “in spite of exhaustive investigations, to date there is no evidence that our technology systems have been compromised.”

Despite Experian’s denial of culpability, consumer advocacy organizations like Procon and IDEC have issued blistering statements urging the Brazillian government to investigate and potentially levy heavy fines against the credit bureau. Because of the recent passage of a new Brazilian data privacy and security law, the LGPD, Brazil now has the legal organ necessary to oversee and impose administrative sanctions for privacy violations. If gross negligence is found by Brazilian cyber investigators, Experian could face a fine of up to 2% of their Brazilian revenue to a maximum of R$50 million ($8,808,245 USD). Under the LGPD, it is also possible for consumers to seek compensation for damages associated with personal data leakages. In a moment of schadenfreude, early cyber forensics suggests that the January 2021 leak occurred in August of 2019, nestled between the time that the LGPD was passed into law and its effective start date. According to the Brazilian constitution, criminal laws cannot have ex post facto (read: retroactive) consequences unless they benefit the defendant. The question of whether or not the perpetrators of the 2021 data leak will fall within the jurisdiction of the LGPD is still forthcoming.

Nevertheless, investigations into the massive leak are currently being led by the LGPD-created National Data Protection Authority alongside the Federal Police. The Brazilian government’s Congressional accountability office, the TCU, has also ordered an emergency security audit for over 400 organizations within the public sector. The sheer scale of the January 2021 data leak coupled with the recent passage of the LGPD places Brazil at a consequential crossroads. If the LGPD is to have legitimacy in the eyes of organizations that store Brazilian personal data, regulators in the capital, Brasília, will need to decide how rigorously to enforce penalties and leverage fines. Like Europe after the passage of the GDPR, swift and decisive actions on lawbreakers will give the LGPD the teeth it needs to force compliance, enhance accountability, and ultimately secure the data of Brazilian citizens. Decisions made in Brazil over the next year in regards to the data leak and the LGPD will pose as a cautionary tale or a beacon of hope to the rest of the world. As a cautionary tale, lax enforcement of the data protection law will allow data breaches like the one in January 2021 to continue without consequence, endangering the security and privacy of Brazilian citizens. As a beacon of hope, Brazil effectively investigates the cause of the leak, facilitates the compensation of anyone whose privacy was compromised and prosecutes the perpetrator of the leak and any who used the leaked data to exploit Brazilian citizens. Either way, it would seem Brazil has found its first major test to determine if it can make its cake… and eat it too.

Published exclusively in the Brown Technology Review.

--

--