Data system linked to the Central Bank of Brazil suffered data leakage; 1.8 terabytes are stolen

A data system of the Central Bank of Brazil (Bacen) would have been the target of a major data leak this Monday. As a result, around 1.8 terabytes (TB) of Brazilian citizen data would have been leaked.

1.8 terabytes of Central Bank of Brazil data are stolen

The information came from Renan Peixoto, a journalist at GloboNews, according to data from the Dataminr platform. According to the information, the website would have been the target of a ransomware attack and lost data in this action.

It is unclear what damage was caused or the extent to which data was stolen. However, the attack appears to have affected the systems of the Telecommunications Research and Development Center (CPQD).

DATAMINR: Brazilian Central Bank blockchain service impacted by LV ransomware group, with 1.8TB of data leaked including blockchain servers.

Alert delivered on Mon May 02 2022@Dataminr https://t.co/WAmm6ASQQN pic.twitter.com/I7wKFUJjlm

— Renan Brites Peixoto (@RenanPeixoto_) May 2, 2022

Blockchain system?

According to Peixoto, the CPQD would be a blockchain data system, responsible for storing digital identity information. However, this information is still unclear, as is the extent of the leaked data.

CPQD is responsible for developing decentralized digital identity projects, such as FinID, presented in March 2020. The identity was presented at LIFT, a program coordinated by Bacen, two years ago.

Based on the concept of decentralized digital identity, the FinID solution was presented by José Reynaldo Formigoni, manager of Blockchain Solutions at CPQD. According to this concept, the owner (holder) of the digital identity is responsible for the control and management of their data.

“Decentralized digital identity is made up of multiple electronic credentials issued by different participating identifiers (also called agents) that are part of a blockchain network,” Reynaldo said in 2020.

During the development of FinID, CPQD had the support of a group of professionals formed by specialists from Bacen, and R3 Corda as a technological partner. That is, the so-called “blockchain” was probably a distributed ledger (DLT).

Counterpoint

At first, CPQD was linked directly to Bacen, as if there had been a “data leak from the Central Bank blockchain”. However, there is no direct relationship between the activities of the two institutions.

With the exception of FinID, CPQD does not carry out any other blockchain project, nor any project linked to Bacen. FinID itself serves only as the shareable identity between Financial Institutions that support Open Banking in Brazil.

In other words, the system is not yet in the hands of ordinary Brazilians, so personal data has apparently not been affected. Data scientist Marcelo Oliveira also shared the information, saying the flaw may have affected other systems.

It looks like there was a data leak from some central bank blockchain, it’s not clear yet what kind of data it is, it could be a digital identity system.

If the attack is confirmed in the way it was designed, the leak reached data related to the Open Banking system. As of this writing, no serious data has been compromised.

However, the event serves as an alert for the risks of systems centralized in a single company or agency. After all, the risks of leakage are enormous and potentially harmful to the owners of that data.