The Detran-RN website gave access to the personal information of 70 million people in Brazil, including address, CNH, RG and CPF, over three months, according to a security researcher. The flaw was corrected in the first week of October, and the agency opened an administrative procedure to address the security breach.
The researcher, who remained anonymous, told the Estadão that it was possible to use any CPF to obtain more details about one of the 70 million people in Brazil with a driver’s license. The system of Detran-RN resulted in the complete home address, telephone (with operator), CNH, RG data, date of birth, sex and age.
The flaw was explored by the researcher for three months. He states to the Digital Look who contacted Denatran (National Traffic Department) twice to warn about the problem, but there was no return. Then, in the first week of October, the Detran-RN page stopped showing CNH’s registration data.
Detran-RN: “user data was not affected”
In a statement, Detran-RN states that “immediately, the IT department’s technical team remedied the failure in its system”. In addition, the directorate-general “is opening an administrative procedure to investigate the fact”.
The agency claims that “user data has not been affected, just as there has been no interference with the National Driver’s License Registry (Renach) or the National Motor Vehicle Registry (Renavam)”.
When Detran-RN says that the data was not “affected”, I imagine that they mean that they were not modified. The failure in the system did not allow editing the CNH record, only accessing it. Regardless, it is unacceptable that the breach lasted for so many months.
The General Data Protection Law (LGPD), which establishes stricter rules for storing personal information, does not come into force until August 2020. According to law 13.709 / 2018, companies and public bodies must inform the people affected by possible security incidents; the “appropriate measures” will be applied by the National Data Protection Authority (ANPD).
Personal data of President Jair Bolsonaro were exposed in the system of Detran-RN (via Olhar Digital):