The São Paulo State Department of Culture confirmed that a “technical error” exposed data from 28 thousand people, including images of ID, CPF and proof of address. The flaw was in the ProAC (Cultural Incentive Program) system and affected information sent between 2015 and 2018. The agency opened an investigation to investigate what happened.
According to the Focus Congress, the ProAC system exposed data from approximately 28 thousand people who sought financial support from the Secretariat of Culture. To enroll in the program, candidates need to prove that they live in the state of SP and have worked in the cultural area for at least two years.
This system, which has not yet adopted the HTTPS protocol, is used to receive proof of address and RG and CPF images. The files are saved with sequential numbers to identify them: that is, having the right URL, just change this number to access the documents of all candidates, without having to login.
“Each candidate has two identifiers, in this case, a sequential and predictable order, which allows the download link to be recognized and the files downloaded from the platform”, explains the Focus Congress. “In other words, changing the sequence, it is possible to access the data of almost 30 thousand subscribers.”
Culture Secretariat “regrets technical error”
The Secretary of Culture has been contacted several times since Monday (21), but only responded on Thursday night; in the meantime, the ProAC system continued online exposing the candidates’ data.
In a statement, the secretariat “regrets that a technical error made by previous management exposed personal data of proponents registered in previous editions of ProAC 2019”.
The company responsible for the system was notified and, as determined by Secretary Sérgio Sá Leitão, an investigation was opened “to ascertain responsibility for the episode”, in addition to a preliminary procedure for “identification of possible flaws in the system”.
The LGPD (General Data Protection Law) only comes into force in 2020. It establishes that, if personal data is exposed or leaked by a public agency, it will be up to the ANPD (National Data Protection Authority) to take the “appropriate measures” . The entity will be linked to the Presidency of the Republic.
“I am afraid that, with the LGPD in place, little will change,” says lawyer Danilo Doneda, professor of Civil Law at the Brasiliense Institute of Public Law (IDP), to the Focus Congress. “The law was born weakened and nothing guarantees that the regulatory body within the structure of the Presidency will exercise the functions of controlling and penalizing these ‘failures'”.