Brazil Govt’s Huge Leak: Health Data of 243M

Brazil’s Ministry of Health is under fire again for another massive leak of personal information. After the leak of COVID-19 patients’ details earlier in the year, a similar website faux pas has now exposed the data of 243 million Brazilian citizens.

That’s more than the entire population of Brazil: The staggering figure also includes the data of 30 million people who’ve died over the past few decades. Maldito inferno!

But you won’t believe the ridiculous way the data was exposed. In today’s SB Blogwatch, we fly away in our dreams.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Underrated Kate.


Zello FAIL (no, not that one)

What’s the craic? Catalin Cimpanu’s heart was entertained in June—“Data of 243 million Brazilians exposed”:

 Web developers left the password for a crucial government database inside the source code of an official Brazilian Ministry of Health’s website for at least six months. … Reporters said the site’s source code contained a username and password stored in Base64, [which] can be easily decoded.

The login information allowed access to SUS (Sistema Único de Saúde), the official database of the Brazilian Ministry of Health, which stored information on all Brazilians who signed up for the country’s public-funded health care system, established in 1989. The database contained all the personal information a Brazilian provided to its government, from full names to home addresses, and from phone numbers to medical details.

In June? Jay Peters stood beneath an amber moon—“Leak left 243 million Brazilians’ medical records and personal info ripe for the picking”:

 The personal information of more than 243 million Brazilians was potentially accessible for at least six months thanks to weakly encoded credentials kept in the source code of the Brazilian Ministry of Health’s website. … The database also includes records of living and dead people.

Given that you can look at any website’s source code with a keyboard shortcut or by accessing it in a menu, potentially anyone could have found these encrypted credentials. … Health records can be quite valuable on the black market given the amount of personal information they often include.

The security issue was first reported by Brazilian publication Estadão.

Who? Softly whispering “someday soon,” Fabiana Cambricoli is lost in translation—“New flaw by the Ministry of Health exposes personal data of more than 200 million Brazilians”:

 A new security breach in the Ministry of Health’s Covid-19 notification system left personal data of more than 200 million Brazilians exposed on the internet for at least six months. … The total number of records is greater than the number of inhabitants in the country (210 million) because there is information on people who have died.

These access credentials were in a section of the website code that is open for viewing by any user. … A person with basic knowledge of website development would be able to find the password, decrypt it and access the database.

The exposure is similar to the one reported to the ministry in June by the NGO Open Knowledge Brasil (OKBR). At the time, the organization identified that login and password for a database of patients with covid were also exposed in … the website code. After OKBR’s complaint, the ministry corrected the error pointed out by the entity, but did not review other possible flaws in the code.

The e-SUS-Notifica system, which has had at least two security flaws reported so far, was developed by the technology company Zello (formerly MBA Mobi), hired by the Ministry of Health to develop this and other software. … The company has received more than [$8.5 million] from the government since 2017.

Yikes. Heads will roll? Nope, says Parn, who kissed and clung together:

 It won’t happen, because in this administration no one is incompetent enough for any act to have any serious consequence. The economy is in its worst place in decades, with GDP tanking and unemployment soaring, health is a disaster with the second largest number of Covid-19 deaths in the world … no mass testing and no plan for universal vaccination.

Foreign relations are also a disaster with Brazil continuously isolating itself, and all that is only the tip of the iceberg. It will take decades to rebuild what has been destroyed in the last 6 years.

Then? Tomorrow was another day. So mattr asks:

 Nobody thinks it could have been malicious intent? After the past 4 years I’m leaning heavily toward, “Ascribe to malicious intent rather than assume incompetence.”

And the morning found Robert Prigge miles away, with still a million things to say:

 The exposed database containing the information of 243 million Brazilians puts the victims at risk of account takeover and other forms of fraud. … Fraudsters can leverage the breached information to impersonate citizens and access any accounts set up with the exposed information, where they can lock the user out and steal benefits.

Cybercriminals can also use the exposed data of deceased citizens to create synthetic identities, which can be used to commit additional fraud.

Now? When twilight beams the skies above, Nidi62 does the math:

 Brazil pop was 209.5 million as of 2018. Mean death rate for Brazil from 1993-2018 is roughly 6.3 per 1k individuals per year. With rounding, you get 1,260,000 dead per year. Over 25 years that is 31,500,000 dead. 31.5m plus 210m is 241.5 million. Yep, sounds about accurate to me.

Meanwhile, recalling thrills of our love, an exasperated Tony Burzio just gives up:

 At this point, you could make a point to just keep sensitive information on Facebook. It’s just as secure, and costs a lot less.

And Finally:

There’s one thing I’m certain of

Trigger warning: Guns and Gilliam.

Previously in And Finally


You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or sbbw@richi.uk. Ask your doctor before reading. Your mileage may vary. E&OE. 30.

Featured eBook
7 Must-Read eBooks for Security Professionals

7 Must-Read eBooks for Security Professionals

From AppSec to SecOps, Security Boulevard eBooks deliver in-depth insights into hot topics that matter to the Cybersecurity and DevSecOps professionals. Our staff of writers are the best in the business, with decades of practical and award-winning experience and credentials. We are excited to share our 2019 favorites. Take a look and download some of ... Read More
Security Boulevard

Richi Jennings

Richi is a foolish independent industry analyst, editor, writer, and fan of the Oxford comma. He’s previously written or edited for Computerworld, Petri, Microsoft, HP, Cyren, Webroot, Micro Focus, Osterman Research, Ferris Research, NetApp on Forbes and CIO.com. His work has won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 206 posts and counting.See all posts by richi