Go to listing page

Unprotected Server of Brazilian Financial Service Provider Exposes 250 GB Customer Data of Various Local Banks

Unprotected Server of Brazilian Financial Service Provider Exposes 250 GB Customer Data of Various Local Banks
  • Even though the server is linked to more than one bank, a majority of the exposed details were related to a local bank named Banco Pan.
  • The exposed information includes banking customers’ personal data such as scanned ID, social security numbers, documents provided as proof of address, and service request forms filled out by customers.

Security researchers from Data Group uncovered an unprotected server containing 250GB of data which was publicly accessible without any authentication.

What’s the matter?

The unsecured server contained sensitive information of clients of various local banks. Even though the server is linked to more than one bank, a majority of the exposed details were related to a local bank named Banco Pan.

However, how many individuals were impacted by the data leak remains unknown.

What information was exposed?

The exposed information includes banking customers’ personal data such as scanned ID, social security numbers, documents provided as proof of address, and service request forms filled out by customers based in the capital city of Fortaleza, in the Brazilian state of Ceará.

What was the response from Banco Pan?

Banco Pan conducted an internal review on its security systems and determined that the server is not owned by the bank, rather it is managed by a partner of the bank. The partner offer services such as loans for pensioners.

“After careful analysis of its security systems accompanied by independent consultancy, it has become evident that the server is not owned by Pan and that no intrusion into the bank's infrastructure has been found,” Banco Pan said, ZDNet reported.

The bank said that security is a key priority for the firm and it complies with data protection best practices as well as local regulations. “[Pan] will take appropriate measures if any misuse of this [personal] data is identified,” the bank added.

Cyware Publisher

Publisher

Cyware