Learn more about the cases registered so far and how to protect yourself if your data has been leaked.

The BC is “technically responsible” for PIX, but financial institutions operate and manage the data. Leaks happen due to vulnerabilities in data protection within companies.

Based on this assumption, leaks can happen in several ways, from the simplest to the most complex: invasion or improper disclosure of databases, exposure of data outside the institution’s systems, emails to unprotected senders, and so on.

“To date, all leaks have not been from BC. These were security flaws on the part of the institution itself”, says Marcelo Chiavassa, professor of digital law at Universidade Presbiteriana Mackenzie Campinas.

“In general, these leaks occurred due to human error, caused, for example, by someone clicking on a link capable of stealing the entire database”, he adds.

Understand PIX Saque and PIX Exchange

How many leaks have happened with the PIX?

Three leaks involving the PIX were recorded.

Logbank Soluções em Pagamentos S/A. There was a leak of data on 2,112 PIX keys, containing the user’s name, CPF, relationship institution and account number;

Access Payment Solutions. 160,147 keys exposed. According to the BC, the information obtained was of a cadastral nature and did not allow the movement of funds, nor access to accounts or other financial information;

Bank of the State of Sergipe (Banese). There was consultation of 395,009 PIX keys that were under the custody and responsibility of the institution. The BC said that the leak “involved information of a cadastral nature, which does not allow for the movement of resources or access to accounts”.

Each leak is different, but the latest occurrences involving PIX have given access to financial institutions’ customer keys, along with related data, such as CPFs.

According to the Central Bank, PIX keys are just a facilitated identification for receiving resources, such as relationship institution, branch, account and type of account. There is, therefore, no access to balance, payment flows and other bank transactions.

How do I know if my data has been leaked?

The BC also informed that people who had their registration data exposed from the incident will be notified “exclusively through the application of their relationship institution”.

“Neither the BC nor the participating institutions will use any other means of communication to affected users, such as messaging apps, phone calls, SMS or email,” he added.

Expert answers how not to fall for scams with PIX

The leak was PIX keys and related data. Without access to passwords or tokens, it is not possible to move accounts.

“In isolation, it is a very low problem, because, even with the cell phone number or CPF, the person will not be able to access the bank account”, says Chiavassa.

But the BC warns that the Exposure of information can be used to apply “social engineering” scams, that is, when the scammer tries to persuade the victim to deliver the release to access the account in question.

A common example is the individual, in possession of the information, pretending to be a bank employee in an attempt to obtain the customer’s credentials.

In addition, criminals can cross-reference this data with old database leaks and add more sophistication to other scams. They can try to impersonate someone in interactions with companies or practice scams such as the improper withdrawal of the FGTS (Fundo de Garantia do Tempo de Serviço).

“This is not a leak of sensitive information, the big problem is the combination of this data with others, which can provide a contact with a false message or use of ‘phishing'”, says Bruno Diniz, partner at innovation consultancy Spiralem.

A common “phishing” tactic is to send fake emails or messages to victims on behalf of companies such as banks and try to gain financial advantage.

It is possible, for example, for criminals to send fake invoices (such as telephone, internet, IPVA, IPTU, among others) by email. The victim, identifying a series of correct personal data, believes that the debt is real and makes the payment.

How to protect my data?

There is no specific form of data protection outside the choice of financial institutions. “This is the paradigm of current times. I believe that, in the near future, the digital security element will be seen as a differential, including in the banks’ marketing campaigns”, says Diniz.

For now, there is the General Data Protection Law (LGPD), which came into force in 2020, and aims to ensure more security and transparency in the use of personal information collected by public and private companies.

“We have punishments provided for by the LGPD, but it is necessary to observe how these cases will be treated by the National Data Protection Authority. So far, the leaks have not been serious. But they may be worse in the future”, says the expert.

For those who have already had data leaked, the BC has already made some alerts. Are they: