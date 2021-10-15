HariExpress sales integration platform, a partner of large Brazilian retailers, exposed more than 1.75 billion confidential data (the equivalent of 610 gigabytes of information), according to a report by SafetyDetectives, an internet security company.

Hariexpress is a national company and integrates commercial data of those who sell on e-commerce platforms such as Correios, Mercado Livre, B2W Digital, Amazon, Shopee, Magalu, tinyERP. Bling! and Cloudshop.

The survey carried out by the team shows that the data was unprotected by encryption, which left personal information of merchants using the platform and their respective customers vulnerable.

Among the leaked data of merchants, there are name, e-mail, business addresses and CNPJ. Among the leaked data of customers who buy from these platforms, there are order details, full names, email address, telephone numbers, billing addresses, products and value paid for the goods.

According to a report, the server was apparently exposed on the Internet on May 12, 2021.

What retailers say

O Magazine Luiza says it has relied on HariExpress as one of its integrators for ten months, and during that time it has added just 30 vendors to the company’s platform and recorded 12 sales made.

“So far, Magalu has not registered any data leaks and is constantly monitoring the security of its information,” he said in a statement.

The Free Market informs that it has already asked Hariexpress for clarifications about any incident and its impacts and that it remains committed to the security and protection of its users’ data.

Sought, B2W Digital, Amazon, Shopee had not responded until the publication of this report.

Correios sent the following note to CNN Brasil Business:

“Correios initially clarifies that the material published by Safety Detectives does not specify which personal data of the company’s origin may have been allegedly violated.

Thus, Correios assesses that, so far, there is no evidence of violation of information, of individuals or legal entities, originating from the state-owned company’s database. The Correios system, which maintains integration with the aforementioned server, acts only in the measurement of the weight of orders and pricing, with no processing of personal data. Other data that may be shared in the transaction between the systems, such as the CEP, do not allow the identification of the holder of personal data, nor an object tracking code. Even so, Correios continues to investigate the case, to take the necessary and corrective measures, as appropriate.”

*Under supervision of Ligia Tuon