A misconfigured server has been found leaking the details of 120m Brazilian taxpayers, according to a recent report.
The misconfigured server, discovered by InfoArmor, contained 27 megabytes to 82 gigabytes of data and tax payer’s identification numbers for 120m Brazilian citizens.
InfoArmor discovered the file “index.html bkp” on the Apache server, which the web server to display the list of files.
The leak exposed sensitive information, including their first names, last names, residential address, phone numbers, date of birth, family contacts, employment history, voting registration numbers, credit and debit history, contract numbers, and contract amounts.
Process of discovery and notification
InfoArmor attempted to determine who owned the server so that they could notify the owner of the database.
“In the days following the initial discovery, InfoArmor’s research team attempted to determine who owned the server so they could be notified. During this time, InfoArmor observed that one of the files, an 82 GB file, had been replaced by a raw.sql file 25 GB in size, though its filename remained the same,” continues the report.
“This swap suggests a human intervened. It is possible that a server administrator had discovered the leak, however, the server remained unsecured for weeks after this swap.”
After several attempts, InfoArmor was able to contact the owner in April and inform them about the flaw.
Later that month, the server had been fixed to secure the data. “What was originally misconfigured to be accessible by IP address was reconfigured as a functional website with an authenticated alibabaconsultas.com domain that redirected to its login panel.”
Data could be used “against the population”
InfoArmor warns: “It is safe to assume that any intelligence organisation or cybercrime group with reasonable collection capabilities and expertise will have captured this data. This data could very likely be used against the population of Brazil, the nation of Brazil, or any nations hosting people who have a CFP.”
Commenting on the data leak, Ilia Kolochenko, CEO and founder of the web security company, said: “The major question here is how did this highly sensitive and confidential data go online on a third-party server in a flagrant violation of all possible security, compliance and privacy fundamentals? Who else has access to this data and its copies? A thorough investigation is required within the Brazilian government to determine who should bear the responsibility.
I would, however, not be so certain that cybercriminals managed to get the data from the exposed server. I’d rather presuppose that cybercriminals have had this (and probably many other governmental data from Brazil) for years, if such an overt leakage happened in such scandalous circumstances.”