Researchers have uncovered an auction on underground forums of a database allegedly containing personal information of 92 million Brazilian citizens. The seller claims that every record is real and unique, and they also advertise a search service focused on Brazilians, saying that they can dig up details about an individual starting from minimum initial data.
Jonathan Deveaux, head of enterprise data protection with comforte AG, offered his perspective:
“The data from the 92 million Brazilian citizens being auctioned in the underground forum would fall in the category of requiring protection under the Brazilian General Data Protection Law (“Lei Geral de Proteção de Dados” or “LGDP”). Unfortunately, the law does not go into effect until August 15, 2020, a 6-month extension from the previous February 2020 date.
There’s one thing technology leaders can take from hackers and threat actors – which is the value of data. On the Dark Web and underground forums, data has value – so much that threat actors are willing to commit a crime to acquire it, and then another crime to sell it.
When technology leaders adopt a stronger view that ‘personal data has value,’ they might do more or invest more to protect it and keep it private. However, with wave of data privacy regulations popping up around the world, organizations are going to have to protect data and privacy, whether the organization considers it valuable or not. Data privacy is shifting to focus on the consumer. Under Article 18 of the LGDP, consumers have rights for their data, and organizations need to ensure personal data is anonymized, redacted, or eliminated.
An emerging best practice among many technology leaders is to adopt a data-centric security approach, which protects personal data with anonymization technology like tokenization. Not only does tokenization allow organizations to meet compliance requirements and remain secure, but tokenization also allows organizations to securely embrace modern technology like hybrid or multi-cloud computing, which has been scrutinized as having major data security gaps.”