Apache Misconfig Leaks Data on 120 Million Brazilians

Apache Misconfig Leaks Data on 120 Million Brazilians

The identity numbers of 120 million Brazilians have been found publicly exposed on the internet after yet another IT misconfiguration.

The data relates to Cadastro de Pessoas Físicas (CPFs): ID numbers issued by Brazil’s central bank to all citizens and tax-paying residents. The size of the leak represents data on over half the population of South America’s biggest country.

Researchers at InfoArmor’s Advanced Threat Intelligence Team found the database exposed on an Apache web server in March, after a simple internet search.

“Upon closer examination of the server that was discovered by InfoArmor’s researchers, it was found that someone had renamed the ‘index.html’ to ‘index.html_bkp,’ revealing the directory’s contents to the world. Anyone who knew the filename or navigated to it would have unfettered access to all the folders and files within,” its report explained.

“Two simple security measures could have prevented this: not renaming the main index.html file or prohibiting access through .htaccess configuration. Neither of these basic cybersecurity measures were in place.”

Only weeks later, after the firm unsuccessfully tried to contact the SQL host, did the issue get fixed.

“What was originally misconfigured to be accessible by IP address was reconfigured as a functional website with an authenticated alibabaconsultas.com domain that redirected to its login panel,” it explained.

“Although InfoArmor cannot be sure that alibabaconsultas.com was responsible for the leak, it appears they were somehow involved, likely in a hosting-as-a-service function.”

The security firm warned that “it is safe to assume” either a nation state or cybercrime group now has the leaked information.

Ilia Kolochenko, CEO of High-Tech Bridge, said a thorough investigation is required by the Brazilian government.

“The major question here is how did this highly sensitive and confidential data go online on a third-party server in a flagrant violation of all possible security, compliance and privacy fundamentals? Who else has access to this data and its copies?” he argued.

Source: Information Security Magazine