Around 137,300 Pix keys from customers of Abastece Ai Clube Automobilista Payment Ltda. (Abastece Aí) had leaked data, informed the Central Bank (BC) today (16). This was the fourth data breach since the launch of the instant payments system in November 2020.
As a customer can have more than one Pix key, BC reported that the total number of people (individuals and companies) affected reaches 137,122. Each individual can have up to five keys for each account and each legal entity can have up to 20.
According to the BC, the leak occurred in registration data, which do not affect the movement of money. Data protected by bank secrecy, such as balances, passwords and statements, were not exposed.
The incident took place between July 1st and September 14th and exposed the following data: user name, Individual Taxpayer ID (CPF), relationship institution, agency, account number and type, date of creation of the Pix key. All people who had information exposed will be notified through the Access app or the internet banking of the institution.
The Central Bank stressed that these will be the only means of notice for the exposure of Pix keys and asked customers to disregard communications such as phone calls, SMS and notices by messaging apps and by email.
Data exposure does not necessarily mean that all information has been leaked, but that it has been visible to third parties for some time and may have been captured. The BC informed that the case will be investigated and that sanctions may be applied, such as a fine, suspension or even exclusion from the Pix system.
This was the fourth incident of Pix data leaks since the system was created, in November 2020. In August of last year, 414,500 Pix keys were leaked by telephone number of the Bank of the State of Sergipe (Banese ). Initially, BC had reported that the Banese leak had reached 395,000 keys, but the figure was later revised.
On the 21st, it was the turn of 160,100 customers of Acesso Soluções de Pagamento to have information leaked. At the beginning of February, 2,100 Logbank payments customers also had their data exposed.
In the three previous cases, registration data were leaked, without exposing passwords and bank balances. By determination of the General Data Protection Law, the monetary authority maintains a page where citizens can follow incidents related to the Pix key or other personal data held by the BC.
Translated to english by RJ983
From Brazil, by EBC News