O MPDFT (Public Ministry of the Federal District and Territories) is investigating the Bank Pan due to a possible leak of personal data of its customers, including photos of RG, CNH, CPF, proof of income and residence. There were about 1.2 million files exposed on the internet, totaling almost 250 GB, in what may be “the biggest security incident involving financial data in Brazil”. The bank says it did not manage the server in question.
In July, the site The Hack revealed that 245 GB of documents were stored in the cloud in an Amazon S3 (Simple Storage Service) bucket, mainly involving customer data from Banco Pan, formerly known as PanAmericano.
According to the MPDFT, there were 1,235,151 files on the exposed server. The agency received part of them, including “digitization of personal documents such as identity cards, driver’s licenses, proof of residence, CPFs, credit cards, financing contracts, withdrawal requests and bank statements, among others”.
According to the Public Ministry, this may be “the biggest security incident involving financial data in Brazil”. For this reason, a public civil inquiry was opened to investigate what happened; he will be in charge of Espec (Special Unit for the Protection of Personal Data and Artificial Intelligence). The Central Bank and CVM (Securities and Exchange Commission) were notified.
Banco Pan says that “no invasion was found”
In a note to the Digital Convergence, Banco Pan says that the cloud environment questioned in the MPDFT investigation “is not its property”; and that, “after careful analysis of their security systems, no invasion was found”.
Banco Pan offers payroll loans through 627 bank correspondents, and vehicle loans in 8,300 dealerships and multi-brand stores. These partners obtain registration data from potential customers “before the formalization of an operation with the Bank, which takes the appropriate measures if any type of misuse of this information is identified”, the note states.
According to the The Hack, the server exposed on the internet probably belongs to a banking correspondent “who works exclusively with services aimed at the retired public, pensioner, military or public servant”.