The Brazilian National Data Protection Authority (ANPD) has confirmed it is investigating the leakage of personal data from telephone companies, following media reports of a huge personal data breach.
The breach has affected 102m customers, according to website Neofeed. It reportedly included the leakage of names, taxpayer registration numbers and minutes spent on mobile phone calls, with the country’s President Jair Bolsonaro among the victims.
An ANPD statement said: “The ANPD informs that it is technically investigating information about the incident involving the leakage of personal data. The ANPD is taking all appropriate measures.”
A cybercriminal based outside Brazil claimed to have obtained 57.2m customer data sets from Vivo and 45.6m from Claro and is selling it on the dark web.
IT sector journal ZDNet however reported cybersecurity and privacy firm Psafe has found no evidence the mobile operators were the source of the leaks and Vivo and Claro deny any customer data has been breached.
ANPD says it is taking all appropriate measures and other agencies including the police are helping with the investigation.
The authority is also calling on Vivo and Claro to take measures to contain and mitigate risks related to the personal data of those affected.
Earlier this year there was a data breach from a Brazilian credit assessment agency involving details of 223m people, including some deceased, such as name, address, income, personal vehicle information and tax returns. The information was sold on the dark web.
The latest breach comes days after the ANPD published a document outlining its strategies and goals for the next two years. The document outlines three strategic objectives:, strengthening of the culture of personal data protection; establishing the regulatory environment for the protection of personal data; and improving the conditions for legal compliance.
ANPD is the body tasked with enforcing Brazil’s new data protection regulations which came into force in September,
- Click here to read more about Brazil’s new data protection regime