When the first cases emerged, they were treated as isolated incidents. But now, with more than 1 million Pix keys exposed since 2021, according to data recently released by the Central Bank, it is more accurate to call them common. The most recent was from Cashway Tecnologia, which, despite involving only 50 keys, made Brazil revisit the security of the instant payment system.
This is because in the first months of this year, new data breach incidents were recorded, raising concerns about the protection of users' personal data. Before Cashway, the problem had occurred at QI Direct Credit Society and exposed 25,349 clients' Pix keys. In addition to these, the case of XP (XPBR31) received significant attention, as it informed clients at the end of April that a database hosted by an external provider of the financial institution experienced an "unauthorized access." In this way, users were victims of information leaks, such as name, phone number, email, date of birth, ZIP code, marital status, position, and nationality, as well as which financial products were contracted, the XP account number, and the balance from the previous month.
According to Thiago Guedes, CEO of DeServ, a company specialized in information security and data privacy, it is essential for companies responsible for protecting Pix keys to prevent the occurrence of specific system failures to observe the entire development process of applications and systems, from the programming and testing phase to when they go into production. This monitoring is required precisely to prevent possible problems and failures before they even occur.
"In this way, all companies that handle personal data need to develop continuous improvement processes covering both the legal aspect and information security. Throughout all data processing stages, it is essential to seek immediate compliance with the LGPD. The legislation itself requires a data protection impact report, and the company needs to structure itself to have these processes well established in order to manage potential risks," he states.
Regarding Pix key holders, it is important to be aware that it is not always possible to know when and if they have been victims of a leak.In this regard, the ideal is always to take double measures of security. "Although the leaked data do not include passwords or allow financial transactions, any exposure of personal information can facilitate scam attempts, especially through social engineering," warns
Guedes gives some tips on how to protect yourself.
Monitor your Pix keys:Frequently monitor the use of your Pix keys through your bank's app. If you notice anything strange or unknown, contact the financial institution immediately.
Activate alerts and notifications:Keep Pix transaction notifications enabled on your phone to quickly identify any unauthorized activity.
Beware of suspicious messages:Coup plotters often use leaked data to send fake messages (phishing). Never click on links received via SMS, WhatsApp, or email, even if they appear legitimate.
Update your information:If you suspect that your key has been compromised, you can request the portability or deletion of the Pix key from your bank.
Use multiple authentication factors:Whenever possible, enable two-step verification on financial apps and register strong, unique passwords.
Check if your data has been leaked:The Central Bank provides official channels to inform users about potential leaks. Stay alert for announcements directly on your bank's app or the BC website.
According to the Central Bank, the leaked data includes information such as name, CPF, banking relationship, agency number, and Pix key creation date. No sensitive data, such as passwords, balances, or statements, has been compromised. Still, the recommendation is to double the attention.
"Pix is a secure system, but no technology is immune to operational failures. Therefore, user caution is an essential part of protection," concludes the specialist.
