The Brazilian Computer Emergency Response Team (CERT.br) from the Brazilian Network Information Center (NIC.br) – which is the executive branch of the Brazilian Internet Steering Committee (CGI.br) – has been in charge of dealing with security incidents involving networks connected to the Internet in Brazil since 1997. With the collaboration of Brazilian Data Protection Authority (ANPD), they have published the Guide to Data Leakage with the purpose of guiding people on the potential risks of data processing in digital environments.
The guide begins by stating that leaks occur when data is improperly accessed, collected, and disclosed on the Internet or sent to third parties, and that leaks may originate from:
1. data theft by attackers and malicious code exploiting vulnerabilities in systems;
2. access to user accounts by means of weak or leaked passwords;
3. action of employees or former employees who collect data from the company's systems and send them to third parties;
4. theft of devices containing confidential data; and
5. errors or negligence by employees when disposing of media (disks and thumb drives) without due care.
Particular attention should be paid to the following data:
1. access credentials, such as usernames and passwords;
2. financial information, such as bank account and credit card numbers;
3. documents, such as National Taxpayer's Registry, ID cards and driver's license;
4. contact information, such as addresses and telephone numbers;
5. health records, such as test results and medical records; and
6. other data, such as date of birth and names of family members.
The guide also lists the major risks that leaked data subjects go through in the event of a leak:
IDENTITY THEFT AND ONLINE ACCOUNT HACKING
a. Opening accounts in the target’s name;
b. Attempts to guess passwords or to answer security questions; and
c. Using leaked passwords to log in to other services with the same password and without some additional security mechanism like: (i) two-step verification, or (ii) prior authorization of devices.
IDENTITY THEFT LEADING TO FINANCIAL LOSSES
a. Obtaining credit cards, bank accounts and loans, leading to debts or illicit transactions on the target's behalf;
b. Improper financial transactions in their bank accounts or credit cards; and
c. Transfer of movable property or real estate.
INFRINGEMENT OF PRIVACY
a. Private information, such as medical data or private conversations, may be exposed on the Internet;
CON ATTEMPTS
a. Extortion, in which the attacker blackmails the target by threatening to expose data;
b. The more information an attacker has, the more convincing they will be and the more easily they will deceive others; and
c. Leaked data can be used, for example: (i) in phishing attempts which may be targeted and personalized (spear phishing), (ii) to convince the target to reveal more information, (iii) to induce the target to carry out transactions and (iv) to impersonate the target.
Despite all the very interesting information contained in this guide, the first question in the face of a data breach is what to do next. In this sense, the guide presents the following road map, starting with the attempt to obtain the information described below and asking the data subject to not access websites or open files that can confirm or display the leaked data:
1. what data leaked (this helps to know what action to take);
2. what mitigation measures have been or will be taken by the organization;
3. what measures should be taken by the data subject;
4. the dates of the potential leak; and
5. announcements and news about the leak
Thus, according to the type of leak, guidelines are provided on how to remedy the situation:
LEAKED ACCESS CREDENTIALS
a. immediately change exposed passwords;
b. enable 2-step verification on accounts offering this feature, if it's not already enabled; and
c. use available mechanisms to analyze access logs and report improper access or attempts.
LEAKED CREDIT OR DEBIT CARDS
a. inform the card-issuing institutions;
b. review your card and bank account statements; and
c. dispute any identified irregular transactions via the official channels of the respective institutions.
The guide below lists good practices that everyone should follow:
1. activate alerts and monitor card and bank account statements. Watch for unusual transactions;
2. keep track of other financial records, through specific services, such as the one offered by the Central Bank of Brazil (Registrato Service);
3. check at Cadastro Pré, which is a service maintained by Telecommunications companies, if any prepaid cell phone lines have been activated using the target's National Taxpayer's Registry;
4. never provide verification codes to third parties;
5. activate notifications and monitor attempts to log in or recover or change passwords;
6. if an account is found to have been hacked or a profile has been created in the target's name: (i) carry out the procedures available on the platforms to recover access or report the false profile and (ii) provide contact information so that they will not fall into scams;
7. Do not click on links received via email or text messages, even if they appear to be sent by a known contact (which could be a spear phishing attempt); and
8. do not carry out financial transactions without first confirming the identity of the parties involved.
In the event of a data leakage, it is important to know who to ask for help, and the guide mentions three important entities that should be contacted, as appropriate:
1. Financial institutions if it involves any financial aspect
2. The police authority when a police report is registered
3. The National Data Protection Authority (ANPD)
With regard to the report, the affected data subject must inform (i) which data was leaked, (ii) when they have become aware of the leak, (iii) if they believe that their personal data was misused in any criminal action (such as swindling, fraud or illegal trade of personal data) and (iv) what evidence they have to support this hypothesis.
Finally, the guide ends with advice on how one can protect themselves with respect to:
REGISTRATIONS AND WEBSITES
1. When filling in registrations, ask yourself if you really need to provide all requested data and if the institution should retain them;
2. Read the privacy policies of used services;
3. When accessing websites, try to limit the data collected by cookies. Preferably, authorize only those essential for the current usage and frequently clean browsing history; and
4. Use secure connections to prevent data from being intercepted and collected.
LINKS AND APPS
1. Be wary of links received via electronic messages, even from known contacts (which may have been sent from fake or hacked profiles);
2. Check through the privacy settings of your devices and installed software. Limit the number of apps that can use your microphone, cameras, contacts and location; and
3. Delete unused apps.
ACCOUNTS AND PASSWORDS
1. Create strong passwords, do not repeat passwords and, if possible, enable two-step verification; and
2. When available, enable login notifications to make it easier to see if other people are using protected accounts.
FILES AND DEVICES
1. Keep devices safe, with updated system and apps and use security mechanisms;
2. Check the device's activity monitor for the list of running programs and be suspicious of unusual processes;
3. Avoid placing files containing personal and confidential data, such as photos and copies of documents, in the cloud; and
4. Use encryption whenever possible to protect the stored data.
This guide complements a list of joint ANPD initiatives with the purpose of educating and making people aware of the importance of personal data.