We talk here about a data leak that exposed 220 million Brazilians (including deceased) and 40 million CNPJs. It came with a third database being distributed for free on the internet: as found by Tecnoblog, the file contains information on more than 100 million vehicles in Brazil, including make, model, chassis and number of the plate – both in the new and in the old standard.
- Experts warn of risks after the leak that exposed 220 million Brazilians
- What to do in the event of a personal data leak ?
Heavy traffic in Barra da Tijuca, Rio de Janeiro (Image: Fernando Frazão/Agência Brasil)
Leak reveals data on 104 million vehicles
The 23GB file has data on exactly 104,193,161 cars, motorcycles and other types of vehicles. It would have been compiled in August 2020 and was circulating in forums on the open internet, with a link indexed by Google search and free download.
It was possible to confirm that the base contains correct information about ten different car plates , including make, model and color; this strongly indicates that the leak is real. This is something of concern because, according to Denatran, there were 107,948,371 vehicles registered in December 2020 – almost the total number of vehicles whose data were exposed on the internet.
The origin of this leak is not known. Unlike the cases involving 220 million CPFs and 40 million CNPJs, here there is nothing directly related to Serasa Experian. (It is worth remembering that the company denies being the source of these two other leaks.)
- Tecnocast 177 – The Big Data Leak in Brazil
Risks of Leaking Vehicle Data
This database does not reveal who owns each vehicle: that is, there are no driver's license (CNH) or CPF numbers. There is also no Renvam (National Registry of Motor Vehicles) number. Even so, this can pose a risk for owners.
The lawyer Luiz Augusto D'Urso, a specialist in digital law, explains to Tecnoblog that vehicle data can be used for various types of illicit, including cloning the chassis, cloning the car's documents and sending false fines to the owner of the vehicle.
This would even serve for hacking attempts on WhatsApp accounts: “criminals call to the victim with such data and impersonate the dealership, and due to warranty and revisions, they can try to get the victim's WhatsApp access code", says D'Urso, who is also President of ABRACRIM's National Cybercrime Commission ( Brazilian Association of Criminal Lawyers).
Leaked data on 104 million vehicles (Image: Reproduction)
The source of this leak is unknown but, if found, it can be held responsible under the LGPD (General Law for the Protection of Personal data). Data that allows identifying someone is also personal data, says the lawyer: “therefore, depending on the vehicle’s information, even if it is not directly linked to someone, it could be considered personal data and the company could be held responsible for the leak, as it could identify the owner indirectly.”
More giant leaks of this type could still happen. DataBreaches.net, which helped Tecnoblog investigate this case, notes that “researchers have been silently finding and muttering about huge databases of medical and personal information on Brazilians for over a year.” Many of these files would be in the hands of individuals or companies who have not yet released their findings.
What was exposed in the 104 million leak
Part of the data in the leak about vehicles (Image: Reproduction)
These are the categories of data revealed in the leak about 104 million vehicles:
- ID (internal database number)
- type of person (physical or legal)
- update date (varies from 1993 to 2020)
- plate (in old or new format)
- city and state of plate
- vehicle status
- restrictions (no restriction, restricted by robbery/theft, pledge, fiduciary alienation ria etc.)
- chassis number
- chassis situation (normal, with restriction)
- engine number
- gearbox number (if applicable)
- body number (if applicable)
- body type (open, closed, jeep, van, double cab, motorcycle, etc.)
- type of invoiced document
- invoiced UF
- “invoiced” (contains sequence of numbers related to the invoiced document, such as invoice)
- brand and model (there are 37 thousand different models)
- model year
- year of manufacture
- vehicle color
- vehicle type (bicycle, moped, scooter, motorcycle, automobile, bus, truck, etc.)
- type of vehicle (passenger, cargo, mixed, traction, oil, etc.)
- fuel (gasoline, alcohol, diesel, natural gas, electric, etc.)
- power (in HP)
- maximum pulling capacity
- total gross weight
- cargo capacity
- number of passengers
- number of axles
- nationality (national or imported)
- DI (Import Declaration)
- importer's identity
- importer's document type