Pan Bank Leaked 250GB Online.
Clients documents was leaked, via an unprotected server, that exposed about 250 GB of scanned documents from clients, of several financial institutions.
The leak was reported by members of Data Group, a group of independent Brazilian researchers dedicated to researching critical vulnerabilities, in apps and industrial systems environments.
The team provided a sample of approximately 350 MB, containing about 400 sensitive files, but the entire database is 250GB.
The collection includes digital versions of personal documents (RG, CPF, CNH), proof of address, contracts, money orders, statements, payslips, paychecks and even credit cards.
It is difficult to estimate a specific number of customers affected, as the magnitude of the leak (and file clutter) made it impossible to account for the number of customers included in the incident.
Everything indicates that the vulnerable environment belongs to a bank correspondent, who works exclusively with services directed to the retired public, pensioner, military or civil servants.
All documents obtained by The Hack belongs to account holders in these profiles.
Looking at the collection of files, with a little attention to detail, you can discover all the financial characteristics of each customer, including monthly income (salary or allowance) and bank transactions.
There are also statements generated on internet banking pages, probably used as proof of monthly income.
With this information in hand, any cyber criminal would be able to devise scams of ideological forgery or targeted phishing.
Fortunately, the server is already unreachable and there is no evidence that such files has been circulated the open internet.
Regarding the number of institutions affected, The Hack has so far identified a total of four different financial companies, all specializing in retired public, retired people, military and public servants.
Pan Bank, headquartered in São Paulo is the one most affected, by this breach.
Although the leak includes documents from several institutions, most of them belong to the Pan Bank (formerly known as Pan Americano).
We were able to identify a whopping number of portability contracts - that is, requests for transfer of debt (loans or finance), from other banks to Pan.
The company's press office, confirmed that the server in question belongs to a business partner, but was unable to give out its name.
The Bank informs that the environment questioned is not its property and that, after careful analysis of its security systems, no invasion was found.
When working with business partners, potential customer registration data are captured by such partners.
Prior to the effective formalization of an operation with the Bank, which will take appropriate measures if any misuse of this information is identified.
It confirms that information security is one of its priorities, in line with internationally recognized best protection practices required by regulators.
In commitment to society, it remains available to collaborate with the facts.
It is important to note that document sharing with bank correspondents is an activity permitted and foreseen by the Central Bank of Brazil (BCB) and is regulated by Resolution No. 3,954 of 2011.
The problem is whether or not these correspondents adopt best security practices to ensure the protection of such sensitive data.
First Published 2019-09-19.