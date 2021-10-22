Online Shopping: Data Leakage. Credit: Rupixen.com/Unsplash

The report was released by the Safety Detectives group and, according to a report published in UOL, the data is equivalent to 610 gigabytes of information.

The researchers found a bad configuration on a Hariexpress server called ElasticSearch, which is like a search engine within websites. It was unencrypted and without any password protection. The disclosure of information was identified in May this year, but the report was only released in October because the data are in Portuguese.

Hariexpress offers a service where merchants can automate sales through the marketplace, where large retailers display third-party products. To facilitate the process, sellers register their products at once in several stores. In addition to those already mentioned, the company has integration with the Post Office.

This exposure can make customers and sellers the targets of scams. The report failed to point out how much of the 1.75 billion data represents in individuals or companies. The Safe Detectives group reported that it was unable to handle the server incident with Hariexpress.

Leaks like this have become constant and turned on a warning about the lack of protection of personal data. According to the CEO of Procon-ES, Rogério Athayde, companies are required to have mechanisms to ensure the control and security of consumers’ personal data.

In case of non-compliance with the rules dictated by the General Law for the Protection of Personal Data (LGPD), Athayde explains that companies may suffer administrative, civil and criminal sanctions provided for by law and in the Consumer Protection Code.

The report of The Gazette consulted three experts on the subject to know how to identify and what to do if consumers have their data exposed: the director of relations at the Brazilian Institute for Consumer Protection (Idec), Igor Britto; criminal lawyer Raphael Câmara; and information security specialist Gilberto Sudré.

HOW TO KNOW IF MY DATA HAS BEEN LEAKED

It is possible to monitor the use of your CPF by checking account opening and improper loan requests if the document has been leaked. This option is offered by the Registrato, the Central Bank’s platform. Registration is free and the person can find out if someone has opened an account in their name, made financing, etc.

In credit protection services, such as Serasa and SPC, it is also possible to consult if they are using their CPF in any way.

There are also platforms such as the haveibeenpwned.com website, where the user registers the email and is able to identify which other places the email has leaked, and the meuenha.com website, which has a service that indicates whether the email was leaked . There’s even a Firefox browser tool called monitor.firefox.com that lets you post the email and check for leaks.

SAFETY TIPS

01 Create secure passwords Mix letters with numbers and also special characters (like [email protected]$#+) and you can also replace letters with characters, such as “a” with “@” and “i” with “!”. Avoid very obvious passwords like your birthday. 02 Avoid using the same password across multiple services Under no circumstances use the same bank password for accounts on internet services. If a password is leaked, it is easier for information from other accounts to be exposed as well. 03 Activate 2-step verification In addition to the traditional password, you can choose another form of verification, an extra code to guarantee your identity (in addition to your password), which can be a random number or even adding the extra requirement to confirm your identity through your e- mail. 04 Watch out for suspicious activity Be wary when, for example, they start calling more often offering services (which can be real or fake); when they use your data to register in your name without your consent; and when they send false bills, including in the name of a well-known company, such as internet operators. 05 report the leak You can register a police report online to prevent fraud. All you have to do is access the Civil Police or the State’s Virtual Police website and check if there is the option to report “Other Occurrences”. If there is, in the description of the occurrence, write simply and objectively what happened. 06 Was it harmed by the leak? Judge the case If you feel harmed, contact Procon if the company does not respond properly. Also report the case on the Consumidor.gov platform, if you are a registered company. It is still possible to file a lawsuit for redress in the Special Civil Courts (JECs).

HARIEXPRESS MEGA LEAKAGE: WHAT WAS EXPOSED

The Hariexpress base had 610 gigabytes of information. Among the records found, there are personal data of customers and shopkeepers, such as:

Full names and account “nicknames” (user names);

Email address;

Phone numbers;

Full delivery addresses;

Billing details, including billing addresses and the amount paid for the goods;

Images of the delivered goods.

Also according to the laboratory, the sellers’ data included CNPJ, CPF and billing details.

WHAT THE COMPANIES SAY

UOL contacted the affected companies. Amazon says it takes data security very seriously. “We developed all our systems and processes considering information security. With respect to this episode, we were informed by HariExpress that no Amazon data leaked,” he adds.

Americanas said that “it is not aware of any data leakage from its customers or vulnerability in its environment. The information was also certified by Hariexpress last week” and “continues to offer a complete and secure platform, adhering to all current legislation”.

Correios sent a note saying that “so far, there is no evidence of violation of information – of individuals or legal entities – from the state-owned company’s database. The Correios system, which maintains integration to the aforementioned server, acts only in the measurement of the weight of orders and pricing, with no processing of personal data”.

The company Magalu clarified that it had Hariexpress as one of its integrators for a period of ten months. During this period, HariExpress added only 30 sellers [adicionar produtos] to the company’s platform and recorded 12 sales. So far, Magalu has not registered any data leaks.”

Mercado Livre preventively suspended the operation of Hariexpress on its platform “as soon as I heard what happened”. The company maintains that the platform “acts as an integrator of marketplaces, provides services exclusively to sellers who advertise products on different market platforms, including the Mercado Livre”.

Also in a note, Shopee said, “Hariexpress has already reported that the company’s users have not been impacted. Shopee takes data privacy very seriously and is committed to ensuring the security and protection of data for everyone in the ecosystem.”