Several members-only dark web forums are reportedly auctioning what appears to be a stolen government database featuring the personal information of 92 million Brazilian citizens.
The 16GB SQL database contains such information as name, birth date, mother’s name, gender and tax details including taxpayer IDs, according to BleepingComputer, which credits the discovery to a researcher with the Twitter user name Breach Radar.
BleepingComputer examined a sample from the database and was able to verify that the information was accurate.
Brazil’s total population in 2019 is estimated to be over 210 million, meaning the database covers roughly 44 percent of the country’s inhabitants.
The seller, who goes by the handle X4Crow, has also been advertising a search tool that can help users look up records on Brazilians, even if they have only a small amount of initial information about a particular person.
Simply by typing in a full name, taxpayer ID or phone number could potentially yield far greater information gleaned from government-issued documentation such as ID cards and driver’s licenses, the seller claims. X4Crow also said the service can provide users with data on any company and its corporate structure.
“The data from the 92 million Brazilian citizens being auctioned in the underground forum would fall in the category of requiring protection under the Brazilian General Data Protection [Act], also known as Lei Geral de Proteção de Dados or LGDP,” said Jonathan Deveaux, head of enterprise data protection with data security company comforte AG, in emailed comments. “Unfortunately, the law does not go into effect until August 15, 2020, a six-month extension from the previous February 2020 date.” LGDP is considered similar in nature to Europe’s General Data Protection Regulation, or GDPR.