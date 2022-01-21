The Central Bank announced, late this Friday morning (21), the occurrence of a new leak of Pix keys, an instant payments tool.

According to the monetary authority, customer registration data of the Acesso payment institution were exposed “due to occasional failures in the company’s systems. [própria empresa]”.

Registration data belonging to 160,147 Pix keys (which include user name, CPF, relationship institution, branch and account number) were leaked.

Information considered sensitive, such as passwords, information on transactions or financial balances in transactional accounts or other information under bank secrecy, was preserved.

“The information obtained [no vazamento] are of a cadastral nature, which do not allow the movement of resources, nor access to accounts or other financial information”, informed the BC in a note.

The Central Bank clarified that the people who had their registration data obtained from the leak will only be notified through the official channels of Acesso.

The BC also said it had adopted a set of actions to investigate the case and “will apply the sanctioning measures provided for in the current regulation”.

The agency maintains a specific page on its website that reports security incidents recorded in the country.

In August 2021, about 395,000 data on Pix keys from Banese (Banco do Estado de Sergipe) customers were leaked.

Enhanced protection

The Central Bank has been improving Pix’s security mechanisms.

Since November 16 of last year, financial institutions can preventively block, in cases of suspected fraud, funds received in an individual user account, for up to 72 hours.

The obligation to notify infringement was also put into practice. The measure extends its use to transactions in which the payer and recipient have an account with the same institution, for example, as well as transactions rejected on suspicion of fraud.

On September 23, 2021, the BC had already announced other anti-fraud measures, which included, in addition to Pix, other means of payment. The main one was the establishment of a limit of a maximum of R$ 1 thousand, for operations carried out between 8 pm and 6 am of the following day.

These limits may be changed at the customer’s request, as long as it is formalized in the electronic service channels. The institution, however, must establish a minimum period of 24 hours and a maximum period of 48 hours for the expansion of the transaction limit to be carried out. With this, the immediate increase in the customer’s risk situation is prevented.

