THE TIM will be investigated by Senacon (National Consumer Secretariat), of the Ministry of Justice and Public Security, to investigate the details of a leak that affected thousands of customers, including data such as name, CPF, date of birth and telephone number. The operator can be fined around R $ 10 million; she says she suffered a “criminal hacker attack”.
The leak was reported in April by Felipe Payão in TecMundo. The problem was in the TIM Negocia platform: in it, individual and PJ customers can check whether they have debts with the operator and resolve any financial issues.
The hacker Krypt0nsh3ll says that he obtained access to personal data in TIM Negocia through an exposed API. According to him, it was also possible to read the service history via chat.
Payão received a sample of data from 48 thousand customers with name, CPF, date of birth, debt amount and telephone number. TIM stated at the time that “29 thousand customers were impacted”, and that TIM Negocia uses a platform that “is not exclusive to the operator”.
According to TIM Negocia website, the service is provided by Grupo Services. The company, based in Curitiba, operates in the areas of collection and call center; it also serves Oi, NET, Claro and Vivo, as well as other companies outside the telecommunications industry.
TIM can be fined almost R $ 10 million
After being informed about the security breach, TIM asked that the Negocia platform be taken down “for prevention and as a measure to protect customer data”. She also reported the case to law enforcement authorities and hired an independent company to investigate what happened.
For Senacon, this does not eliminate the damage caused to customers “nor does it, by itself, rule out the occurrence of administrative infraction against consumer protection rules”.
TIM will be summoned to provide evidence and assist with the investigation. It may be fined approximately R $ 10 million. The operator says in a statement who “was the victim of a criminal hacker attack and has not yet been notified of Senacon’s assessment, when he will present a defense in the administrative proceeding”.
The DPDC (Department of Consumer Protection and Defense), linked to the Ministry of Justice, believes that there are signs of “offense to the principles of vulnerability, transparency, trust, education, information, harmonization of interests and good faith, in addition to the rights of freedom of choice, adequate information, protection against abusive practices and effective prevention and repair of damages ”.