Public transportation system in the city of São Paulo suffers a hacker attack which exposes personal data of its users

The SPTrans’s system, responsible for public transportation in the city of São Paulo, Brazil, was invaded by hackers. The knowledge of this security incident took place on December 15th of 2022, and the communication to its data subjects was made from December 23rd of the same year.

 

13 million of users had the following personal data exposed, from the April 2020 data base: name, social name, date of birth, CPF number, RG number, address, telephone number, filiation, PIS number, student registration number, marital status, place of birth, gender, e-mail, as well as login and password for the service portal on the internet.

 

 

Faced with situations like this, the Brazilian General Personal Data Protection Law – Law No. 13.709/2018 (“LGPD”) provides that the controller (responsible for the decisions referring to the personal data processing) must notify the Brazilian National Data Protection Authority (“ANPD”) and the data subjects about the occurrence of an incident that may entail risk or relevant damage to the data subjects (article 48, LGPD), which was fulfilled by SPTrans, that communicated the ANPD, the data subjects affected and the Police, to investigate the attack.

 

As a recommendation, SPTrans asked its users to change the password used to access the service portal on the internet.

 

 

Author: Caroline Muniz, Associate Lawyer at Peduti Advogados.

Source: Hacker invade sistema da SPTrans e 13 milhões de usuários do Bilhete Único têm dados expostos

 

 

“If you want to learn more about this topic, contact the author or the managing partner, Dr. Cesar Peduti Filho.”

“Se quiser saber mais sobre este tema, contate o autor ou o Dr. Cesar Peduti Filho.”