Brazilian state-owned IT company Dataprev confirmed on Tuesday that a security flaw in the "Meu INSS" platform exposed personal data belonging to 2.8 million National Social Security Institute (INSS) beneficiaries. The incident, originally discovered on April 19, was significantly larger than the 1.5 million figure government technicians had privately estimated, and was only publicly disclosed last week following reporting by Folha de São Paulo.
What Happened
Dataprev, the federal data processing company that operates infrastructure for INSS, identified a failure in a security lock on the Meu INSS citizen portal on April 19. The flaw permitted improper queries against the agency's beneficiary database before access controls flagged the activity. The company initially declined to confirm the scope of exposure, citing an active investigation, but on May 26 acknowledged that 2.8 million individuals were affected. Brazil's National Data Protection Authority (ANPD) was notified as part of the breach response.
What Was Taken
Per INSS, roughly 97% of the leaked records correspond to deceased individuals, while approximately 50,000 records belong to living insured beneficiaries with no death record on file. Dataprev separately reported that 98.19% of unauthorized accesses targeted data on deceased persons. The exposed INSS database fields include CPF numbers (Brazil's national taxpayer identifier), benefit links, and affiliation data tied to social security entitlements. While the bias toward deceased subjects reduces direct fraud exposure for the majority of records, the living subset and the breadth of CPF exposure remain a significant identity-theft concern.
Why It Matters
CPF data is the cornerstone identifier for nearly every financial, governmental, and commercial transaction in Brazil. Even when paired with records of deceased persons, CPFs enable a well-documented criminal economy around "ghost" identity fraud, synthetic identities, and pension scams targeting surviving family members. The breach also underscores a recurring pattern in Brazilian government platforms where citizen-facing portals serve as enumeration vectors against backend social security infrastructure. For defenders, the incident reinforces that authorization logic, not just authentication, is the primary attack surface in identity-heavy public services.
The Attack Technique
Dataprev attributed the exposure to a flaw in a "security lock" on the Meu INSS platform, language consistent with a broken access control or authorization bypass in the portal's query interface rather than credential compromise or external intrusion. The improper accesses were detected by internal monitoring and the agencies state that no fraudulent benefits or loans were granted as a result. Dataprev has since implemented new access controls and query rate limits, and INSS has expanded mandatory facial biometric verification as a downstream compensating control.
What Organizations Should Do
- Audit citizen-facing portals for broken object-level authorization (BOLA/IDOR), particularly any endpoint that accepts a national identifier as a lookup parameter.
- Enforce per-account and per-session query rate limits on identity lookup APIs, and alert on anomalous batch enumeration patterns.
- Tie sensitive lookups to step-up authentication such as biometrics or device attestation rather than relying on session cookies alone.
- Log and review all access to records of deceased individuals, which are commonly excluded from normal monitoring but remain valuable to fraud actors.
- Coordinate disclosure timelines with data protection regulators early; the gap between internal detection on April 19 and public disclosure widened reputational damage here.
- Provide breach notification and CPF-monitoring guidance directly to surviving relatives of deceased beneficiaries, who are the most likely fraud targets in this dataset.
Sources: Dataprev leak exposed data from 2.8 million INSS beneficiaries - News Room USA | LNG in Northern BC