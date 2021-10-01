The BC (Central Bank) registered the first case of leakage of Pix keys, an instant payment system. According to the autarchy reported on Thursday (30), customer data from Banese (Bank of the State of Sergipe) were exposed due to “specific failures in the systems of this financial institution”.

In a statement to shareholders and the market, Banese stated that its technical area detected undue queries to data on 395,009 Pix keys, exclusively of the telephone type of people who were not customers.

BC did not confirm the total number of exposed keys.

According to the institution, the data was obtained from two bank accounts of Banese customers, “probably obtained through social engineering (phishing or similar)”.

Although the BC informed that the failure occurred in the institution’s system, Banese stated that the consultations were carried out directly in a directory administered by the BC.

“Such consultations were carried out in the Transactional Account Identifier Directory – DICT, administered by the Central Bank and with restricted access to Institutions that initiate the procedure for carrying out a transaction by PIX, and contains information of a registration nature: name, CPF, bank in that the key is registered, agency, account and other technical data used for anti-fraud control purposes, such as the date of opening the account and the date of registration of the key,” the statement from the institution said.

“No sensitive data, such as passwords, information on transactions or financial balances in transactional accounts, or any other information under bank secrecy were exposed. The information obtained is of a cadastral nature, which does not allow the movement of resources, nor access to accounts or the other financial information,” the BC said in a statement.

The bank said that “the event did not affect the confidentiality of passwords, transaction history or other financial information of its customers”.

According to the monetary authority, people who had their registration data leaked will be notified exclusively through their bank’s application.

“Neither BC nor participating institutions will use any other means of communication with affected users, such as messaging applications, phone calls, SMS or email,” he warned.

The BC said it has taken the necessary actions for the detailed investigation of the case and “will apply the sanctioning measures provided for in the current regulation”.

“Even though it is not required by current legislation, due to the low potential impact on users, the BC decided to communicate the event to society, in view of the commitment to transparency that governs its activities,” stated the BC.

Banese claimed to have revoked access to the two accounts used and to have implemented security mechanisms “aimed at preventing similar cases from happening again”.

BC has recently implemented security measures to reduce the vulnerability of systems to criminal actions in fraud, kidnapping and other crimes.

For example, a limit of R$1,000 was announced for operations in digital channels with Pix and TED (Available Electronic Transfer) between individuals at night, which starts to apply on October 4th.

In addition, last Tuesday (28), the BC published a rule that allows the bank to retain a suspected fraud operation for up to 72 hours, a measure that takes effect on November 16th.