Experian Challenged Over Massive Data Leak in Brazil

Experian may be in trouble again — this time in Brazil.

ZDNet reports on "the emergence of a leak that exposed the personal data of more than 220 million citizens and companies, which is being offered for sale in the dark web." After receiving feedback from Experian over a massive data leak in Brazil, São Paulo state consumer rights foundation Procon described the company's explanations as "insufficient" and said it is likely that the incident was initiated in a corporate environment...

Security firm PSafe discovered the incident, which exposed all manner of personal details, including information from Mosaic, a consumer segmentation model used by Serasa, Experian's Brazilian subsidiary. Following the emergence of the leak in January, Procon notified the credit bureau, and asked the company for a confirmation of the incident, and an explanation of the reasons that caused the leak, the steps taken to contain it, how it will repair the damage to consumers impacted and the measures taken to prevent it from happening again...

Contacted by ZDNet, Serasa Experian did not answer to requests for comment on Procon's response to its feedback.

The agency's demands for answers follow calls from the Brazilian Institute for Consumer Protection for urgent measures to investigate and punish those responsible for exposing the population's data, as well as improved citizen information and transparency.

Nothing has been compromised!

[swep]

"The company also argued that there is no evidence that its technology systems had been compromised. " - because we have none! hurrr hurr

Experinyan uwu

[Quakeulf]

All according to keikaku, and no one will face consequences, as usual.

Re:

[gweihir]

It basically is a race between establishing rules that will hold the fuck-ups responsible accountable and all data being hacked so making that meaningless. Looks like the second thing is going to win by a very large margin.

Re:

[Ol Olsoc]

It basically is a race between establishing rules that will hold the fuck-ups responsible accountable and all data being hacked so making that meaningless. Looks like the second thing is going to win by a very large margin.

But we're treated to breathless admonitions that we need unmemorizable passwords to keep us secure on our personal devices, while outfits simply give out our personal data free for the asking.

What kind of idiot would be busy hacking one person's computer when it is a lot more rewarding to get everyone's data?

220 million here, 220 million there. Pretty soon, you're talking about a lot of people.

leak that exposed data of 220+ million citizens+

[hcs_$reboot]

The leak would appear less impressive in Monaco.

Re:

[Cederic]

If the data breach had been, instead of for everybody in Brazil, for everybody in Monaco, the leak would be for under 40,000 records.

Re:

[hagnat]

i would be quite surprised if Monaco had 220 million citizens whose data was exposed... thats a lot of people per square km

Re: Menace to socciety

[yagmot]

Why are they not held to the same standards as banks or other financial firms? They should be fined heavily, and to hell with static numbers; it should be a percent of revenues in addition to providing data monitoring services to all whose data was leaked for 10 years. I canâ(TM)t even imagine the pain and anguish of having my identity stolen because some shit company that I never wanted to have my data in the first place leaked it.

Re:

[drinkypoo]

It is quite shit, I assure you.

My identity has been stolen left, right, and center, because my name is almost the "John Smith" of Hispanics.

Re:

[Anne Thwacks]

it should be a percent of revenues

Preferably greater than 100%

"how it will repair the damage to consumers"

[Pope Raymond Lama]

This is some form of joke. The thing is simply non-repairable.

Data leaked include all forms of identifiers and secondar data used across hundreds of thousands of places
to authenticate one person. Not to mention credit information, such as those used to calculate
the credit score itself.

And 220 million is a number larger than Brazil population: which means everyone got their data leaked.

The country will have to overhaul all forms of person/consumer/tax payer identification and authorization over
the next couple of years in order to mitigate some of the damages in this leak.

Meanwhile anyone is subjet to identity theft at will, and can do nothing to prevent it.

Yea. Credit agencies that no one enters an

[waspleg]

agreement with voluntarily are losing your shit all the time. A quick search for Experian shows the exact same shit with South Africa, something in San Diego and a long list of their fuckery from Krebs [krebsonsecurity.com].

The best part is they advertise their expertise at helping other companies avoid fines for these breaches. [experian.com]

The Power of Experience

Experian Data Breach Resolution helps businesses of all sizes manage the risk of fines, customer loss, negative press and litigation due to a breach of data. We have handled thousands of high-profile data breaches in nearly every industry.

In 2010, 25% of the breaches we serviced fell into the medical data breach category. During a healthcare breach, companies look to Experian for proven guidance and leadership. Because mishandling a healthcare data breach can cost as much as $1.5 million1in fines.

Many government agencies, Fortune 500 companies and mid-size businesses also rely on the power of Experian.

The power of experience indeed. The experience of no consequences.

Can we get a corporate death penalty?

[Gravis Zero]

Experian obviously has no interest in security and their little offshoot seems to be no better. The fact that the FTC didn't hand them a fine so large it would have bankrupted them was a major mistake because here they are pulling the same stupid shit as before.

Full list of the leaked data

[Anonymice]

This leak was massive and touched basically everyone in the country (not just citizens). As far as I'm aware, it easily takes the crown for the biggest leak of personal information in history!

Just to get a grasp of the sheer amount of information that was leaked, this is the list of data involved:

Basic: Name, SSN, sex, DoB, names of parents
Civil status (single, married, etc)
Family ties: Details of immediate (cat. 1) & extended (cat. 2) family
E-mail
Telephone: Area code, number, operator, plan, type of line, date of installation
Address: Full address, including longitude & latitude
Household: SSN of the head of the house, number of members, household income, full address
Level of Education
Students: Uni, course, dates of entry & graduation
Occupation: Role & worker's ID
Employer: Operating name, tax ID, type of contract, date of admission, salary, hours p/week
Salary: Value, type (hourly, monthly, etc), hours p/week
Income: Total monthly income, social class, tax bracket
Social Class: A1, A2, B1, B2, C1, C2, D, E
Buying power: Level (high, medium, low), income, salary
State aid/Benefits: Value, Status (Active/Inactive/Blocked), names & number of dependents, SSN
Voter Registration
Social identifiers: tax numbers, national health IDs, SSNs, worker IDs, etc
Inland Revenue/Taxman registrations
Credit Score: Credit activity, Risk score, Level of risk
Debtors: Name, Type of debtor, Status, Type of debt, Value, Went to court?
Bounced cheques
Data precision: Percentage
Analytical model: Predicted chance of the consumer buying products or services
Photo ID
LinkedIn: ID & URL
Business: Businesses owned, number & percentage of shares held
Public Workers: Descriptions of roles held, net income, type of contract
Consultants: Status, Speciality, Worker's ID
Death: Date of death, age, date of registration, name & address of registry office