- The FIESP reportedly represents 130,000 firms and is the biggest entity in the industrial sector of the nation.
- The data leaked includes members’ names, social security numbers, physical addresses, email addresses, and phone numbers.
The largest data breach in the history of Brazil appears to have occurred earlier in November. The breach was caused by the Brazilian Federation of Industries of the State of São Paulo (FIESP), which reportedly represents 130,000 firms and is the biggest entity in the industrial sector of the nation.
The FIESP is being accused of exposing millions of personal records of its members. The data leaked includes members’ names, social security numbers, physical addresses, email addresses, and phone numbers.
According to Bob Diachenko, director of cyber risk research at Hacken, who discovered the FIESP’s leaky databases, were stored in Elasticsearch, with a total count of 180,104,892.
“The public configuration allows the possibility of cybercriminals to manage the whole system with full administrative privileges,” Diachenko wrote in a blog. “Once the malware is in place criminals could remotely access the server resources and even launch a code execution to steal or completely destroy any saved data the server contains.”
The data was online and accessible for several days, ZDNet reported. Diachenko said that he attempted to contact FIESP but received no response. However, the leaky database was taken offline after a Brazillian Twitter follower got in touch with FIESP.
Although FIESP denied that a serious breach has occurred, the organization said in a statement that it is "investigating the alleged access to its database by a company that claims to work in digital security," ZDNet reported.
FIESP reportedly claimed that the exposed database contained no sensitive information and that no data was accessed by malicious third parties. However, it is still unclear as to how many individuals were affected by the breach.
The Brazilian Public Prosecutor's Office is reportedly investigating the data leak. Meanwhile, the country is yet to propose and establish its own data protection laws. This means that at present, there are very few regulations that force public or private entities to report breaches.