Taxpayer identification numbers for 120 million Brazilian citizens have been exposed due to a misconfigured server. These tax identification numbers are called “Cadastro de Pessoas Físicas (CPFs)”, and function similarly to a Social Security Number in the US, a National Insurance number in the UK, or a number of other equivalents worldwide. A Brazilian national would need a CPF number in order to open a bank account, create a business, pay taxes or get a loan. Having these numbers exposed could lead to fraud, and generally, put the number’s owner at risk.
Research by InfoArmor, a cybersecurity provider, revealed that an Apache web server discovered in March 2018, was configured incorrectly and its data was exposed. InfoArmor opened one of the archives on the server and found CPFs and other personal information about individuals.
“Each exposed CFP linked to an individual’s banks, loans, repayments, credit and debit history, voting history, full name, emails, residential addresses, phone numbers, date of birth, family contacts, employment, voting registration numbers, contract numbers, and contract amounts.”
After discovering the exposed data, InfoArmor started an investigation to determine the owner of the database.
“In the days following the initial discovery, InfoArmor’s research team attempted to determine who owned the server so they could be notified. During this time, InfoArmor observed that one of the files, an 82 GB file, had been replaced by a raw .sql file 25 GB in size, though its filename remained the same.”
It is thought that the directory was being used as a backup database, without realizing that it is available to view by the public.
It is not yet known whether anyone has discovered this before InfoArmor, for example, criminals who may want to use the information for malicious goals.
It is highly concerning that this was allowed to happen since the exposure could have been easily prevented by making sure a file named index.html was located in the folder.