A database promising data of 92 million citizens is being auctioned on the dark web
When I recently reported how the personal data of the entire 16.6 million population of Ecuador had been leaked online, I thought that was about as bad as things would get as far as data breaches in South America were concerned. It looks like I thought wrong. An alleged breached "government" database, some 16GB in size, has been put up for sale on the dark web. While not impacting the entire population, Brazil has the biggest population of all in South America, and this database is said to contain the personal information of 92 million citizens. That's not far short of half the population and looks to align pretty closely with the number of Brazilians in employment.
Dark markets auction 92 million Brazilian citizen record database
Following a tip-off from a threat intelligence analyst known as Breach Radar, a BleepingComputer reporter investigated the auction of an alleged government database containing the personal information of some 92 million Brazilian citizens.
Ionut Ilascu found that the database was being auctioned across multiple restricted access dark web marketplaces. The starting price for this 16GB, SQL format, database is $15,000 (£12,160) with $1,000 (£810) bidding increments thereafter.
The seller, known only as X4Crow, claims that the database includes personal information such as names, mother's name, gender, dates of birth and taxpayer IDs of the 92 million citizens. The data is sorted across provinces in Brazil, and a sample acquired by Ilascu verified the accuracy of this claim. BleepingComputer also has information to suggest that this is a government database, although this could not be confirmed at the time of writing.
Another claim that could not be confirmed was that by X4Crow concerning the size of the database. Not the 16GB of data itself, but rather that this represents almost the entire population of Brazil. Given that the population of Brazil, according to Google, was 209.3 million in 2017, this doesn't stack up. However, the BleepingComputer report suggests there is a close match between the database information and the working population of Brazil, which is 93.18 million according to Google once again.
As well as the database itself, X4Crow is also advertising a Brazilian citizen search service that promises to retrieve a fuller data profile, including national identification document information such as driver's license details along with telephone numbers, profession and education. In addition, X4Crow is also offering company data for a $150 (£121) fee.
What do the security experts say?
If this database is genuine and does contain the personal information of 92 million Brazilian citizens as looks likely from what is known, then it "proves our current data protection model is woefully inadequate," Corin Imai, a senior security advisor at DomainTools, said. "Organizations, public and private, need to become smarter at protecting data," Imai said, "to mitigate the risk to their customers and their own companies."
In just the last few weeks, I have reported on data leaks involving EA Sports and FIFA 20, an alleged breach at Zynga impacting more than 200 million gamers and an unsecured database of 198 million car buyers exposed online. Sadly, I doubt it will be very long before I am writing the next data leak news story.
According to Paul Edon, senior director of technical services at Tripwire, this latest incident is indicative of cybercriminals becoming increasingly motivated by the potential monetary gain of this dark web currency known as personally identifiable information. "Organizations and governmental bodies need to consider going above and beyond the security measures recommended as standard practice, or they will find themselves unprepared," Edon said, "when retaining this kind of data it is critical to choose an encryption solution that not only protects the database instances but also provides protection for data in transit and at rest."
