RIO DE JANEIRO, BRAZIL – Brazil’s Central Bank on Thursday (30) reported a data leak incident of Pix keys under the custody and responsibility of the Bank of the State of Sergipe (Banese).
The leak occurred due to an isolated glitch in the financial institution’s systems and involved registration data, which does not allow the transfer of resources or access to accounts, the Central Bank said.
“No sensitive data were exposed, such as passwords, information on financial transactions or balances in transaction accounts, or any other information under bank secrecy,” the Central Bank said.
The institution added that it will investigate the incident and impose the sanctions foreseen in the regulations. People affected by the leak will be notified through their bank’s app, the Central Bank said.
In a separate statement, Banese said its technical area detected “undue consultations” to data related to 395,009 Pix keys of people who are not customers of the bank. These consultations came from access to two Banese customers’ bank accounts, according to the bank.
The bank confirmed that the incident did not affect the confidentiality of passwords or open access to its customers’ financial information.
“Such consultations were performed in the Directory of Transactional Account Identifiers – DICT, managed by the Central Bank of Brazil and of restricted access to institutions that initiate the procedure for performing a Pix transaction,” Banese said.
Account access was likely gained through practices such as “phishing,” a fraudulent action in which criminals try to obtain confidential data, according to the bank. Access to the accounts used to retrieve data was revoked, and the bank said it is implementing security measures to prevent similar cases from occurring.
The news of the leak comes after the Central Bank introduced measures to increase the security of Pix amidst the occurrence of crimes, including express kidnappings, after Pix was introduced, which enables immediate transfers to be made at any time of the day, 7 days a week.
The Central Bank has set a limit of R$1,000 (US$184) for transactions between individuals from 8 PM to 6 AM. It also allowed the bank holding the individual recipient’s account to preventively block funds for up to 72 hours in cases of suspected fraud.