Enel: loophole allowed access to CPF and customer debts – 03/12/2024 – Tech

Enel’s official website allowed strangers to download customer invoices. The document contains sensitive information, such as CPF, address and debt amounts.

The company only asked for a specific address and to complete the URL with an identification number.

The invoice access form only asked for the address and an identification number, according to Tecnoblog, which revealed the security breach. The possibility of downloading via the link has been available since mid-January, according to emails sent to Enel customers by the company.

The portal for downloading invoices was taken offline on the 6th, after contact from the Tecnoblog report.

Wanted by SheetEnel, in a different version, says that it resumed sending the attached document on the 4th. Access to the PDF still requires an authenticator code.

When the report checked the link sent with a company invoice, the page where it was possible to download the invoice displayed the message “access denied”. The browser informs you that access has been blocked.

Enel says that it “follows safety criteria usually practiced by the market”.

The downloaded document contained a password, but licensed programs are capable of removing security from a PDF.

After downloading the file, anyone could remove the password and access information such as full name, address, CPF and other registration data.

There is no evidence that this information inspired cyber attacks or massive data scraping, according to Tecnoblog.

According to USP digital law professor Juliano Maranhão, Enel may be held administratively responsible for violating the LGPD (General Data Protection Law), after initiating proceedings with the right to adversarial proceedings.

“The ANPD [Agência Nacional de Proteção de Dados] has the power to investigate the leak incident and impose sanctions.”

There may also be civil liability in actions brought by affected customers.

If the victim proves that they suffered losses as a result of a data leak or security breach, the company responsible for processing the data is subject to compensating the customer, according to the understanding of the STJ (Superior Court of Justice) on the application of the LGPD.

The loophole allowed criminals to automate the download of a massive number of invoices, using a technique called data scraping, which allows downloading different information from a website with the help of computing.

Sensitive information made identity theft and phishing scams possible, where criminals use a fake message as bait to steal money and more data.

To avoid these scams, Internet users should be wary of offers, check whether the link matches that of the company or person mentioned and, ultimately, contact whoever offers the promotion to verify its existence.

Enel states that it only sends digital invoices upon prior choice by the customers themselves and verification of their identity.

Until January, Enel sent digital invoices attached to an email. Since then, the company has started to offer the alternative of receiving a link to download the account. Users were notified of the changes in the second half of January.

Even so, part of the customers consulted by Sheet stated that he continued to receive the bill via PDF file. The alternative proposed by Enel was a summarized version of the bill, with value information and bill code, for payment, without needing to access the document.

Enel has prioritized sending digital invoices since April 2020, according to a statement sent as a result of the Covid pandemic. In this modality, there is paper savings and less chance of loss, according to the company.

Tecnoblog tested the vulnerability only in São Paulo. Enel serves 24 municipalities in the metropolitan region of São Paulo, 66 in Rio de Janeiro and the states of Ceará and Goiás.