Banco Pan suffers data leakage and possible extortion

The PAN bank, controlled by BTG Pactual, suffered a data leak in the early hours of Friday (15). In a sample document sent to the TecMundothe account information of approximately 64 thousand customers is exposed. The bank would still be undergoing a possible extortion attempt so that the data is not published.

In total, according to an anonymous tip, there would be 22 million compromised accounts. The PAN press office was clear in noting that this number would be false.

THE TecMundo only confirmed the leak of 64 thousand accounts

So far, the TecMundo only confirmed the leak of 64,000 accounts present in a 1 GB sample – the complete file, with alleged 25 GB, has not yet been sent.

Among the information, it is possible to find full name, CPF, date of birth, residential address, masked credit card information and account number, debit balance and invoice amount. In addition, they were extracted during March 1st until March 20th, 2022.

A second anonymous source that addressed the TecMundo commented on an extortion attempt to prevent disclosure. It would be a second crime, besides the invasion, that the PAN would be dealing with.

The bank, when approached, sought to be transparent about the case and admitted the problem: “We recently detected a weakness in the platform of a technology provider, used in the Customer Service Center in the card segment. We activate our security protocols, notify the software company for immediate correction of the vulnerability and hire independent expert consulting for a complete analysis.”

Still, I told the TecMundo that “according to the ongoing investigation, it was already possible to verify that there was no current account compromise, system unavailability, or invasion of the Bank’s infrastructure, having been confirmed, however, that the exploitation of the vulnerability allowed unauthorized copying of registration data, available limit and debit balance, without having exposed complete card data, passwords or any data that incurs a direct financial risk for the customer and the bank. We reinforce that information security is our priority and all relevant authorities have been notified.”

The PAN, with this position, seeks to make it clear that bank data that generate financial risk via PAN were not leaked, being limited to name, CPF, birth, address, account number, balance, invoice amount. Furthermore, that law enforcement authorities are already investigating unauthorized access.

leak elongation

how the attack happened

Details about the hack were not shared clearly, but the attacker described how he managed to gain unauthorized access.

“The bank uses powerless and simple credentials to control all email accounts responsible for processing customer information, such as registering new accounts, answering tickets, etc.,” the source said. “With a valid password obtained, a list of all public emails from employees was made, and with a password spray attack it was possible to compromise many accounts that had access to customer data”.

The attacker comments that he started an API identification process

The attacker also comments that he started an API identification process from where the data was extracted to the email system and that he developed a script to extract information from customers.

“The script was simple, it just used a valid cookie to send authenticated requests to the API and saved the result in a text file. In total, information was extracted from more than 22M customers of Banco Pan, which, as mentioned above, contains a lot of information that can be used by criminal groups”.

In his complaint, the attacker made it clear that he also sent a report to the CSIRT of Banco Pan (technical group responsible for resolving security-related incidents) with all the details of how the attack was coordinated, counting on CWE and CVSS of calculated criticality.

How to protect yourself in the event of a leak

Some tips are important for people who have had their data leaked, especially with data as recent and accurate as that present in this leak.

Leaked information like this opens up the possibility for the following scams: phishing, spear phishing (fake messages with accurate and targeted data), identity theft and opening fake accounts.

  • Enabling second factor authentication is mandatory. Do this in apps, services, and emails. Escape the second factor of SMS authentication, look for third-party solutions like Authy, Google and Microsoft Authenticator.
  • Be wary of links and messages that reach you, especially payment slips. If you have any questions, be proactive and seek contact with the bank on an official channel.
  • There is a very simple way to know if you have been a victim of fraud: the website Registrato, from the Central Bank, monitors which current accounts are linked to the holder’s CPF. Through a simple registration, it is possible to access information on loans and financing, a list of banks in which you have an account, indications of PIX keys registered with payment institutions and data on exchange operations or international transfers.

According to lawyer Rofis Elias Filho, from Elias Filho Advogados, “the LGPD protects the privacy of the personal data of all clients and also brings the hypothesis that the data controller will be held responsible for the property and moral damages caused, whether individual or collectives, according to article 42”. Therefore, customers who feel aggrieved in any way can contact the bank for investigation.

Complaints to TecMundo

TecMundo supports the work of ethical hackers, our contact channels are: