UPDATED 21:31 EDT / DECEMBER 03 2020

SECURITY

243M Brazilian health records exposed by password left in website source code

The personal information of 243 million people in Brazil has been exposed online after a password to access the information was left by the developers in the source code of an official Brazilian government website.

First reported Wednesday by Brazilian publication Estadao, the data was gathered by Sistema Único de Saúde, Brazil’s national health system. The exposed data included full names, addresses and telephone numbers. The number of records in the database exceeds the current population of Brazil of 209 million as it includes information of those previously registered who have since died.

According to ZDNet, the website’s source code that included the password can be accessed and reviewed by anyone pressing F12 inside their browser. The user name and password was stored in Base64, an encoding format that can be easily decoded to obtain the credentials to access the data.

Officially, the Brazilian government has said that while there was potential exposure, there was no illicit access of the information, Globo reported.

“The exposed database containing the information of 243 million Brazilians puts the victims at risk of account takeover and other forms of fraud,” Robert Prigge, chief executive officer of identity verification firm Jumio Corp., told SiliconANGLE. “Fraudsters can leverage the breached information to impersonate citizens and access any accounts set up with the exposed information, where they can lock the user out and steal benefits. Cybercriminals can also use the exposed data of deceased citizens to create synthetic identities, which can be used to commit additional fraud.”

Since the exposure was caused by a third-party developer, he added, it’s critical government agencies and enterprises thoroughly vet their selected partners, especially those that handle and manage consumer data. “Even if enterprises have battened down the hatches on their own security, their efforts become meaningless if they do not ensure their vendors have done the same,” he said.

Ilia Kolochenko, founder and chief executive of web security company ImmuniWeb, noted that many organizations tend to outsource software development to the cheapest providers, eventually getting the corresponding quality and security of the code.

“Cybercriminals are perfectly aware of these amazing opportunities and effortlessly harvest the long-hanging fruit,” Kolochenko said. “Worse, such incidents and consequential attacks are hard, if not impossible, to detect in a timely manner. ”

Image: Sistema Único de Saúde

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU