The Central Bank announced on Monday (18) the exposure of more than 46,093 Pix keys from Fidúcia, a financial institution that operates in the credit segment for microentrepreneurs and small companies. The leak exposed customers’ registration data, but did not reveal passwords or other bank secrecy data — such as balance and statement.
According to the Central Bank, the cause of the leak was occasional failures in the Fiducia system (ironically, the name, according to the Priberam dictionary, means “trust”). In total, 46,093 Pix keys of the financial institution’s customers were leaked. In its statement, the Central Bank reinforces that the exposure of this data does not affect financial transactions.
The Central Bank also explains that there was not necessarily a theft of data, but that for a period of time this information was accessible to some people. As a result, malicious actors may have captured this data. The Central Bank is investigating the case and the Trust, as provided for by law, may be penalized.
Criminals Can Use Keys for Scams
Even if balance, statement, and financial transactions have not suffered from the theft, the leaked Pix keys can be used to apply scams. Criminals can use the acquired information for spam and scams.
These keys reveal the victims’ financial institution. With this information in hand, one of the scams that can be applied is that of the fake bank contact. Criminals can call or contact victims via email posing as the institution. One of the strategies of this scam is to inform that the customer has money to receive, but asks for a transfer fee.
Leak is the sixth in almost four years
This is the sixth Pix key leak since November 2020, when the transfer medium was launched. The largest case was that of the State Bank of Sergipe (Banese), in which 414.5 thousand telephone number keys were leaked. The most recent case was in September 2023, with Phi Pagamentos. Access Payment Solutions, Logbank and Abastece Aí had Pix keys leaked in 2022.