Caixa Econômica Federal is a prominent Brazilian financial institution, widely known for managing various social programs, including the FGTS (Fundo de Garantia do Tempo de Serviço). The FGTS is a compulsory savings account for employees, funded by employers, which serves as a financial safety net for workers in case of dismissal without cause, severe illness, or natural disasters.
Breach Details
Date Discovered: August 6, 2024
Breach Announced by: Sorb (Dark Web User)
Data Affected: FGTS service database (CRM)
Records Exposed: 39,000,000 lines
Incident Description
On August 6, 2024, a user named Sorb on a dark web forum announced the availability of a massive database containing 39 million lines of FGTS service records. The database appears to be from Caixa Econômica Federal’s customer relationship management (CRM) system and includes sensitive information related to the FGTS accounts.
What is FGTS?
The Long Service Guarantee Fund (FGTS) was established to protect workers dismissed without just cause by maintaining a savings account linked to their employment contract. Employers contribute 8% of each employee's salary to this fund monthly. The fund is managed by CAIXA and serves as a financial reserve for the employees.
Threat Actor Profile
Username: Sorb
Forum Status: GOD User
Posts: 58
Threads: 17
Reputation: 99
Joined: June 2023
Sorb is a well-known figure on the dark web, with a high reputation and frequent activity on forums related to data breaches and cybercrime. The announcement included a screenshot showing the FGTS system interface, suggesting the threat actor has access to internal systems or databases.
Impact Analysis
Potential Consequences
- Data Exposure: Personal and financial information of millions of FGTS account holders could be exposed, leading to identity theft, fraud, and financial loss.
- Reputational Damage: CAIXA’s reputation as a secure financial institution could suffer significantly, impacting customer trust and business operations.
- Regulatory Fines: Potential fines from regulatory bodies due to non-compliance with data protection laws.
Affected Parties
- Employees: Individuals with FGTS accounts are at risk of personal data exposure.
- Employers: Companies that contribute to FGTS funds may face scrutiny and need to reassure employees about data security.
- CAIXA: The bank may face legal, financial, and reputational repercussions.