Particle.news
Download on the App Store

Dataprev Says 2.8 Million INSS CPFs Were Accessed in April Leak

The company says a one-day authentication flaw in a Meu INSS query allowed public responses, the bug has been fixed and the incident reported to the national data authority.

Overview

  • Dataprev told officials that unauthorized queries exposed 2.8 million INSS CPFs, and that about 98% of the accessed records correspond to people who are deceased while roughly 50,000–52,000 living beneficiaries had dates of birth revealed.
  • Preliminary analysis attributes the exposure to a Meu INSS service query that accepted responses without requiring user authentication, a flaw that Dataprev says lasted for one day in April and was corrected once identified.
  • Dataprev and the INSS say they immediately implemented technical controls, limited simultaneous CPF queries, and are adding biometric checks as part of a broader security update.
  • Both agencies reported the case to the National Data Protection Authority and said there is no confirmed evidence that the accesses led to improper benefit payments or automatic payroll loans, though security experts warn leaked personal data can enable fraud.
  • Investigations and data consolidation are ongoing, figures remain subject to revision from earlier internal estimates, and affected living beneficiaries face possible identity-risk steps to monitor as ANPD and the agencies continue their probes.