Brazilians have experienced yet another security incident that has exposed personal data linked to the popular instant payment service PIX, the second time in six months.
The Brazilian Central Bank (BCB) has revealed that a number of PIX keys registered with Brazilian fintech Acesso Soluções de Pagamento have been stolen, “due to occasional failures in systems of that payment institution”.
PIX key is a stand-in for a customer’s bank account, such as mobile number, email address or tax registration ID, that consumers can register and which allows them to send and receive payments.
According to the BCB, data linked to 160,147 PIX keys were stolen from Acesso in early December, including user names, tax numbers and account numbers.
This follows a similar incident last August which left more than 400,000 PIX keys registered with Banese bank exposed.
Although the incident exposed information related to PIX, “it is worth emphasising that it has not been originated in the Central Bank’s systems”, Pedro Eroles, a partner with expertise in banking and finance at Mattos Filho, told VIXIO.
“What happened was an incident related to customers’ registration data. That data is stored in the payment institution, in this case, Acesso Pagamentos,” Alexandre Vargas, senior associate lawyer specialising in fintech and payments at Cescon Barrieu Advogados, added.
The incident did not expose sensitive data, such as passwords, information on transactions or financial balances in transactional accounts. According to the central bank, information obtained could not be used to make transfers or access the accounts.
“This is very serious, but it doesn’t mean this could compromise all the system,” Vargas stressed.
“PIX system works well and it’s safer. Until now there has been no incident involving the PIX system itself nor a sensible data breach.”
Financial and payment institutions are subject to strict data protection and security rules in Brazil, in addition to regulations related to internal controls, internal audit, compliance and operational risk management, Eroles pointed up.
“The current PIX regulation addresses this subject,” Vargas added. The central bank “has been monitoring and imposing high cybersecurity and information security patterns to the participants”.
“The system is not 100 percent immune to hackers and data breaches. But if there is evidence about the institution’s responsibility, the BCB can apply some sanction,” Vargas added.
The BCB confirmed in its announcement that it has taken the necessary steps for an in-depth investigation, which, according to Vargas, could result in a fine and penalties imposed on the company and its administrators.
A phenomenal success
Launched in late 2020, PIX is one of the great payments success stories of the last few years.
In 2021 alone, its first full year of existence, PIX processed 9.5bn transactions, including 1.46bn alone in December 2021. By the end of 2021, Brazilians had registered more than 381m PIX keys, which is roughly equivalent to 1.5 keys per person.
On its first-year anniversary last November, BCB governor Roberto Campos Neto stressed that PIX “is an important vector for promoting financial inclusion” and the platform reaches all groups regardless of income and age.
PIX is also a key tool to help boost competition among payments industry participants. In April 2019, Brazil started its journey towards open banking with a four-phase plan to implement a data-sharing ecosystem.
In October 2021, the third phase in this process kicked off, which included enabling payments initiation providers to share information and enable new solutions for making payments across PIX.
The final phase four was launched last month, aimed at enabling an open finance network.