Share this…

The cause seems to be a poorly configured server

During the first quarter of 2018, experts from a cybersecurity and digital forensics firm discovered a misconfigured server exposed online containing 120 million ID numbers of Brazilian citizens. The company emphasizes that it has not been possible to establish for how long this information has been exposed.

All Brazilian taxpayers have an ID number for multiple operations, such as opening a bank account, paying taxes or applying for a loan.

Digital forensic experts discovered a file (index.html_bpk) on the Apache server, which they consider to be a backup of the original database; this caused the web server to display the list of files stored in this location, also allowing its download.

According to the cybersecurity firm report, the folder includes data files that vary in size from 27 MB to 82 GB.

In addition, the experts discovered that one of the files contained data related to the Cadastro de Pessoas Físicas (taxpayers register in Brazil), personal information, military information, telephone, loans and addresses associated with taxpayer. “These records issued by the Federal Reserve of Brazil contain information related to banks, credit history, participation in elections, full names, addresses and telephone numbers of victims”, mentions the report of the security firm.

Digital forensics experts from the International Institute of Cyber Security believe this directory could be used to store backups. At some point in the most recent days, the largest file stored on this server had been replaced with a 25 GB SQL file.

“In the days following the discovery of this incident, a research team tried to identify the owner to notify him of the state of his server. During that time period, an 82 GB file was replaced with a 25 GB SQL file,” the team of specialists mentioned.  “These actions suggest that the exposure of the data was caused by a human carelessness. Server administrators might discover their error, although the server remained exposed at least two weeks after the error was discovered.