The Central Bank of Brazil reported yesterday (19) another security incident involving personal data linked to Pix keys. This time, the information disclosed was under the custody and responsibility of SHPP Brasil Payment Institution and Payment Services Ltd., Shopee. As in the other 14 times when similar cases were reported by the agency, the news was accompanied by an attempt to reassure by stating that the data in question did not cause harm to consumers since they are not related to processes that affect money transactions. Despite this, experts warn that this type of approach can lead to a decrease in understanding of the seriousness of the issue and allow people to fall for future scams using this data.
DeServ Academy partner, Bruna Fabiane da Silva, elected one of the 50 Best Women in Cybersecurity in the Americas by WOMCY (LATAM Women in Cybersecurity), states that even if the exposed information is only of a registration nature, such as name, CPF, relationship institution, agency, account number, and type, the people whose data has been leaked need to be vigilant because they can become victims of scams like phishing and others that use social engineering.It is important to consider that this is a significant breach of the confidentiality of information, which is data security," he comments.
According to her, these cases usually occur due to failures in privacy by design and privacy by default practices, which are, in fact, requirements of data privacy legislation. When this incident occurs, there is a data breach that affects the rights guaranteed by the LGPD.
“In September, when the LGPD turns 4 years old, this type of situation needs to serve as a lesson learned in the sense that all companies need to have strategies to mitigate the risk of data leaks. The LGPD goes beyond information security and legal aspects. When seeking a procedure within organizations for personal data, it is important to consider information security as a way of planning any project or service. Because throughout the life cycle of this information, protections must be in place until the destruction of data, which also needs to be secure,” he says.
According to her, to prevent the occurrence of point failures in systems, it is essential to observe the entire development pipeline of applications and systems from the programming and testing phase until they go into production. This monitoring is required precisely to prevent possible problems and failures before they even occur.
The specialist advises all companies handling personal data to develop continuous improvement processes covering both the legal aspect and information security. Throughout all data processing stages, it is essential to seek immediate compliance with the LGPD.The legislation itself requires a data protection impact report, and the company needs to structure itself so that these processes are well established in order to manage potential risks," he states.
