Can a Data Leak Expose an Entire Population?

This post is also available in: עברית (Hebrew)

Researchers found records containing the private data of hundreds of millions of Brazilian citizens, fully accessible online on Elasticsearch, available to threat actors, and possibly putting the whole population at risk.

Elasticsearch is a tool that is commonly used for the search, analysis, and visualization of large volumes of data. The Cybernews research team revealed this publicly accessible instance containing a staggering amount of private data belonging to Brazilian individuals, but it seems that the leaked data was not linked to a specific company or organization, which prevented the researchers from identifying the source of the leak.

The data cluster was located on a cloud server and contained the full names, dates of birth, sex, and CPF numbers (the number identifying individual taxpayers in Brazil), and contained more than 223 million records, meaning that the entire Brazilian population might have been affected by the leak.

The data is no longer publicly available, but if it got into the hands of a malicious actor, it could have been misused for crimes like identity theft, fraud, and targeted cybercrimes, possibly leading to financial losses, unauthorized access to personal accounts, and many other severe consequences.

In cases of enormous leaks such as this, the massive scale amplifies the potential impact on the people involved.

This is not the first instance of massive data leaks allegedly belonging to governmental entities, or such data being sold online. Two instances from last year include a threat actor listing 23 terabytes of data on one billion Chinese citizens, and another leaking the personal data of 105 million Indonesian citizens and offering it up for sale online.