Every minute, more than 455 Brazilians have their personal data leaked on the internet, according to a study by Surfshark, a Dutch cybersecurity company.
In the second quarter of this year alone, about 3.2 million people suffered some type of exposure in the country. They are information such as RG, CPF, CNH, bank records, cell phone numbers and other documents that, once in the wrong hands, end up not only in a headache, but in losses for their holders.
Retired Regina Silva, 66, who lives in the south of São Paulo, is an example. Not knowing how a financial institution obtained her personal information, she became a victim of unauthorized use of her data when a line of credit appeared in her account without her knowing the source. “I thought ‘what kind of money is this?’ and went to check it out,” she tells her.
Upon identifying a TED, Regina activated her bank. “I asked to return it, but they said I had to take care of it.” She then called the financial institution that made the deposit, said she did not recognize that credit, but was informed that they had received a contract signed by her.
In the following weeks, he got no explanation. “If there was a contract, I had to collude with it. And I had never spoken or signed anything with this institution.” Regina then called the ombudsman and waited for an answer.
About a year later, the company still insists it had a contract signed by it. The ombudsman said only that the mistake was made by an employee, who was disconnected from the company. Finally, Regina returned the amount that had been wrongly credited to her account, but she still doesn’t know how they got her personal data.
A situation like the one experienced by Regina reinforces a growing concern about privacy.
Between 2018 and 2019, the increase in the number of data leaks in Brazil was 493%, according to a survey by the MIT (Massachusetts Institute of Technology). There were three major incidents in 2018, and in 2019, that number reached 16.
In January 2021, 223 million personal data of Brazilians were leaked and, in the following month, 102 million cell phone accounts fell on the network. The country is 12th in the ranking of most affected by leaks.
What to do in case of leaks
But what can and should citizens do when they have their data exposed? In addition to immediately changing all your passwords, you must try to understand how the leak occurred, identify where it came from, contact the institution directly and question it.
If this is not possible (as it is not in most cases), the ANPD (National Data Protection Authority), the federal government agency responsible for the security of citizens’ information, must be contacted.
It guides the data subject to gather evidence related to the origin of the leak and the type of personal data exposed, both in the case of private companies and public bodies.
“Using the General Data Protection Law (LGPD) it is possible to send demands to companies and complaints to the ANPD”, explains Fabricio Polido, innovation and technology and dispute resolution partner at LO Baptista Advogados.
“To send communications that fall into this situation, the citizen must resort to the Electronic Petition of the SEI System, used by federal administration bodies, such as the ANPD”.
If the origin of the incident is a public body, when gathering evidence, the citizen can send the complaint to the body itself.
The victim must also file a police report with a police station that deals with cybercrime. In some it is possible to carry out this process online, as in the case of the Civil Police of São Paulo.
According to Fabrício Lopes, ANPD’s supervisory coordinator, once the security issue reaches the agency, the biggest concern is whether the institution (public or private) that holds the information has taken effective measures to protect that data. .
“The greater the risk associated with the treatment given by the company to the citizen’s data, the more rigorous the protection must be”, he says. This is the case with RG and CPF numbers, which, once exposed, increase the risk of fraud.
It is up to the ANPD to assess whether these institutions were transparent. “If someone who has your personal data suffers an incident with that data and doesn’t tell you, you don’t even have a way to protect yourself, react or prepare for it”, says Lopes. “One of the key points is precisely to verify whether the company or public body reported the incident.”
For Fábio Rua, director of government relations at Latam and global leader of ESG policies at IBM, the misuse of personal data directly impacts the company’s credibility.
“When an attack is consummated, there has to be a structure within the company ready to react and communicate to everyone involved what happened.” The problem is that not all companies do this. On the other hand, users also seem to lack the real dimension of this issue.
Cyber hygiene is essential, as explained by Fabro Steibel, professor and executive director of the ITS (Instituto de Tecnologia e Sociedade do Rio). “Don’t use passwords that are too logical, rather use phrases,” he points out. “We need education first, because while there aren’t enough IT professionals, we won’t be able to make the infrastructure secure, there’s a lack of people to do that”.
In addition, the professor states that it is also necessary to always strengthen the LGPD. “And we need people to care as much about personal data as they care about consumption.”
This report was produced from content discussed at Lab Sociedade Digital, a partnership between Unico, ID tech in digital identity, and Folha, with support from ITS (Instituto de Tecnologia e Sociedade do Rio).