*By Isabelle Fernandes
data leakage
In early 2021, a leak exposed about 223 million data, this number exceeds the Brazilian population, about 212 million people, information such as CPF, name, sex and date of birth circulating today on the internet. Shortly thereafter, another leak was discovered where more than 100 million cell phone data may have been exposed, such as social security number, cell phone number, type of phone bill, minutes spent calling and other personal data.
In both cases, the sources of the leaks are still not known for sure, but they are investigated by the Federal Police at the request of ANPD, the National Data Protection Authority, the body responsible for inspecting, ensuring the protection of personal data and for implementing and oversee compliance with General Data Protection Act (LGPD).
The exposure of confidential information is an Information Security (IS) incident popularly known as “data leakage”. The leaked data can be used by malicious people, they can simply impersonate you to make a purchase in your name, acquire a credit card or a loan, among other financial transactions.
To protect personal data, the General Data Protection Law (LGPD) was created in force since September 2020, which aims to regulate the collection, storage and handling of personal data, requiring greater transparency by public and private companies. Thus, increasing the security provided for personal data and reducing the risk of Information Security failures and incidents.
Companies: how protect the data of the holders
A breach of confidentiality can cost an organization's reputation and the peace of its owners. Therefore, some measures can be taken to prevent this incident:
– Keep operating systems up to date and with a lower rate of vulnerabilities: When defining the systems used in your business environment, consider choosing options that offer more security.
– Keep the software updated: older versions may contain flaws and security holes that can be exploited.
– Make sure you use antivirus and firewalls: the use of security features prevents the performance of malicious programs.
– Do not use software pirates: software Unofficials may contain malware – program intended to infiltrate a computer system.
– Do not click on links unknown: advise your employees that, if they receive any email or message with links suspects, the best attitude is not to access, as it may be an attack, such as Phishing – attack where the user is tricked into providing confidential information – for example.
– Watch your passwords: guide your employee on how to take care of your passwords:
- During the elaboration, you need to combine different elements, such as upper and lower case letters, numbers and symbols;
- Do not use easy-to-discover elements such as dates, anniversaries, names of loved ones or pets;
- Avoid using the same password in multiple places;
- Try to change them periodically. Also, passwords should not be noted in post-it notes and the like, or disclosed to third parties.
– Promote Information Security training: Conduct training periodically to reinforce the understanding of the processes and the importance of taking care of business information.
– Implement a Security Policy: in addition to preserving business information, the Policy establishes standards and guidelines to be followed within operations, which reduces the risk of exposure due to human error. In it, care should be described during the entire treatment, from data collection to elimination.
Tips for the data subject:
In order to try to protect your privacy and the exposure of personal data, there are some precautions you should take, such as:
– Avoid including personal data on untrusted websites: if the site is unreliable, it is best not to risk compromising the security of the data by providing it.
– Read the privacy policies: when accessing a website, find out what data they have access to and how they use it.
– Avoid providing personal data for registrations in stores or websites: some places provide discounts in exchange for providing some data, but it's important to question the use of the information and assess whether it's worth exposing your data.
– Avoid exposure on social media: photos of documents, computer screens or sensitive information should not be exposed on social networks, after all, there is no way of knowing who is viewing them and how they can be used. When taking and posting selfies, for example, be careful with the surroundings so as not to expose any inappropriate information.
– Pay attention to calls, emails and messages from supposed banks and companies: in case of suspicion, do not provide data and contact the company through a trusted contact.
The leaked data can be used in scams and frauds, since, with a lot of information in hand, it becomes easy to convince someone that the scam is real.
If you are a victim of leaks, try to find out what information has been exposed, so it is possible to know the scale of the problem and which rights should be charged. To protect yourself, register a police report describing what happened.
– Isabelle Fernandes is GRC and Security Consultant at [SAFEWAY]
THE [SAFEWAY] can help your organization define the necessary controls to protect personal data by validating the level of adherence and maturity to the requirements of the GDPR (General Data Protection Regulation) and LGPD (General Data Protection Law) considering the environment of business to which it is inserted and identifying the main action plans for compliance with regulations, aiming at improvements in the process and gains for the organization.
