Central Bank reports data leak of 87 thousand Pix keys linked to SumUp

The Central Bank reported this Friday (22) the leak of 87,368 Pix keys from customers of SumUp Sociedade de Crédito Direto SA (Sumup SCD). According to the BC, no “sensitive data” was disclosed, such as passwords, information on transactions or financial balances or any other information subject to banking secrecy.

The incident occurred between September 28, 2023 and March 16, 2024 due to “specific failures” in the institution’s systems. The BC reported that the leaked information was: user name, Individual Taxpayer Registry (CPF) with mask, relationship institution, agency and account number.

“People who had their registration data obtained as a result of the incident will be notified exclusively through the application or via internet banking from their relationship institution. Neither the BC nor the participating institutions will use any other means of communication to affected users, such as messaging applications, phone calls, SMS or email”, highlighted the Central Bank.

The BC reinforced that the case is being investigated. The authority highlighted that “even though it is not required by current legislation, due to the low potential impact on users, the BC decided to communicate the event to society, in view of the commitment to transparency that governs its actions”.

Earlier this week, the BC reported the leak of registration data of 46,093 Pix keys under the responsibility of Fidúcia Sociedade de Crédito ao Microempreendedor e a Empresa de Porte Limitada (Fidúcia). In this case, according to the Central Bank, no sensitive data was exposed either.

The incident disclosed this Friday was the seventh recorded since the creation of Pix, in November 2020. In August 2021, 414.5 thousand Pix keys were leaked via the telephone number of the State Bank of Sergipe (Banese). Initially, the BC had announced that the Banese leak had reached 395,000 keys, but the number was later revised, reported the Brazil Agency.

In January 2022, it was the turn of 160.1 thousand customers of Acesso Soluções de Ação to have their information leaked. The following month, 2,100 Logbank payments customers also had their data exposed.

In September 2022, data from 137.3 thousand Pix keys from Abastece Ai Clube Automobilista Payment Ltda. (Abastece Aí) were leaked. In September last year, 238 Phi Payments Pix keys had information exposed.