Find out what to do and how to protect yourself.
Around the world, including Brazil, data leaks have been frequent. Public announcements by companies warning of leaks, more than goodwill, is a legal requirement in several countries that have data protection laws, following a trend that is here to stay: transparency of information.
One of the most recent large-scale attacks was announced on October 10 by Air Europa, which admitted it had been hit by a breach of its credit card system, without revealing the number of customers affected. This month, 23andMe - a genetic testing company - also admitted to an unspecified amount of leaked customer profile information. Last month, Sony confirmed that the data of 6,700 employees in its PlayStation division had been leaked. A similar situation occurred with MGM Resorts.
In Brazil, the cases are also progressing. On October 6, the Information and Communication Technology Agency of UFMS (Federal University of Mato Grosso do Sul) identified possible unauthorized access to personal data collected by file-sharing systems during a cyberattack. The Central Bank of Brazil also disclosed the leak of 239 Pix keys of customers of a payment company - the fifth data leak since the launch of the system in November 2020. The same happened with information from Auxílio Brasil and the São Paulo State Public Servant Assistance Institute (IAMSPE), among countless other situations.
According to Luiz Fernando Plastino, PhD in Civil Law and a specialist in Privacy and Data Protection, this type of data leak occurs either by accident or by the actions of someone with malicious intent. "Direct attacks by hackers exploiting vulnerabilities are relatively uncommon, and most leaks are made possible by flaws in the configuration of networks or services or carried out by social engineering, in which someone tries to get an employee or even a company director to click on a link to open loopholes in the system or reveal information that will help in the invasion," explains the lawyer, who is part of the team at Barcellos Tucunduva Advogados (BTLAW).
In addition to the legal obligation to report incidents to the National Data Protection Authority (ANPD), companies also need to alert their customers in certain situations. "The LGPD brings with it the obligation to inform those affected when the leakage of personal data could generate a relevant risk or damage, but other sector regulations, as in the case of PIX, can oblige a company to report leaks even if, in theory, there is no such risk," Plastino explains.
But how do I monitor and know if my data has been leaked? The lawyer explains that it is possible to use services that look for data leaks in real time. "For example, subscribers to Google products can set up alerts in case leaked data is identified; the website HaveIBeenPwned also allows free searches based on email address."
Luiz Fernando Plastino advises users to take care of their own privacy. "At the end of the day, there's not much you can do once the data has been made public, you just have to take care of your own privacy. People need to become aware of their rights, read privacy policies, get to know the companies that want to obtain their data and avoid handing over their data when it is unnecessary or when the company that requested it has inconsistent data protection practices, or a history of large or poorly addressed leaks," he says.
For companies to take better care of their data, they need to invest in protection measures such as intrusion tests, monitoring for new threats, adopting specific equipment and programs such as firewalls and anti-malware, as well as raising awareness and training their teams. "Both to prevent them from falling victim to social engineering or accidentally exposing data, and so that they know how to act quickly and effectively to stop any leaks and mitigate their effects," Plastino points out.
If a person receives information that their data has been leaked, the lawyer makes a few recommendations: "It is essential to change the passwords for the affected services and to be alert to strange service behavior, emails and financial transactions, informing relatives, close friends and account managers to beware of the possibility of scams in your name." It is also advisable to regularly consult the Central Bank's Registrato system in the days following the leak. "Through it, you can identify whether someone has opened an account, generated a Pix key or taken out a loan in your name. With this information, you can take action to contest fraudulent actions or, in some cases, file a lawsuit to get compensation," he concludes.
Source: Jornal Jurid, Guia do investidor and Jornal Contabil