In March 2018, security experts at InfoArmor discovered a misconfigured server online that contained taxpayer identification numbers, or Cadastro de Pessoas Físicas (CPFs), for 120 million Brazilian nationals. It is not clear how long data remained exposed online or who accessed them.
Every Brazilian national has assigned a taxpayer identification number that allows him to perform ordinary operations, such as opening a bank account, paying taxes, or getting a loan.
Experts discovered the file index.html_bkp on the Apache server (likely a backup of the index.html), which caused the web server to display the list of the files and folder stored in that folder and download them.
The folder included data archives ranging in size from 27 megabytes to 82 gigabytes.
Experts at InfoArmor discovered that one of the archive contained data related to Cadastro de Pessoas Físicas (CPFs), personal information, military info, telephone, loans, and addresses.
“CPFsare an identification number issued by the Brazilian Federal Reserve to Brazilian citizens and tax-paying
Experts believe that directory was used to store database backups. While InfoArmor was attempting to report the discovery to
“In the days following the initial discovery, InfoArmor’s research team attempted to determine who owned the server so they could be notified. During this time, InfoArmor observed that one of the files, an 82 GB file
“This swap suggests a human intervened. It is possible that a server administrator had discovered the leak,
A question remains without response, why this kind of data was exposed a third-party server.
“It is safe to assume that any intelligence organization or cybercrime group with reasonable collection
(Security Affairs – Brazilian Taxpayers, data leak)