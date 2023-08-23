Keys of 238 Phi Pagamentos customers were leaked due to failures in the institution’s systems

A total of 238 Pix keys from Phi Pagamentos (Phi Serviços de Pagamentos SA) customers were leaked this Tuesday (22.Aug.2023), reported the BC (Central Bank). The problem was due to occasional failures in the payment institution’s systems. This was the 5th data leak since the launch of the instant payment system in November 2020.

The municipality stated that Pix’s security and monitoring mechanisms minimized the extent of leaked registration data, limiting exposure to 238 Pix keys or less than 0.00004% of the more than 630 million keys registered in the (DICT) Directory of Identifiers of Transactional Accounts.

The exposure, informed the BC, took place in cadastral data, which do not affect the movement of money. Data protected by bank secrecy, such as balances, passwords and statements, were not exposed.

Although the case did not need to be reported because of the low potential impact for customers, the municipality stated that it decided to disclose the incident on behalf of the “commitment to transparency”.

All people who had information exposed will be notified through the Phi Pagamentos application or the internet banking of the institution.

The Central Bank claimed that these will be the only means of warning for the exposure of Pix keys and asked customers to disregard communications such as phone calls, SMS and warnings via messaging apps and email.

Data exposure does not necessarily mean that all information has been leaked, but that it has been visible to third parties for some time and may have been captured.

The BC informed that the case will be investigated and that sanctions may be applied. The legislation provides for a fine, suspension or even exclusion from the Pix system, depending on the severity of the case.

Historic

In August 2021, 414,500 Pix keys were leaked by phone number of the (Banese) Bank of the State of Sergipe. Initially, the BC had disclosed that the leak in Banese had reached 395,000 keys, but the number was later revised.

In January 2022, it was the turn of 160.1 thousand customers of Acesso Soluções de Pagamento to have information leaked. In the following month, 2,100 Logbank payments customers also had their data exposed.

The most recent leak was recorded in September 2022, when data from 137,300 Pix keys from Abastece Aí (Abastece Ai Clube Automobilista Payment Ltda.) were leaked.

In all cases, registration information was leaked, without exposing passwords and bank balances. By determination of the LGPD (General Data Protection Act), the monetary authority maintains a page where citizens can follow incidents related to the Pix key or other personal data held by the BC.

With information from Brazil Agency