The National Register of persons (Renaper) denied an alleged hacking of its database and assured that it was an improper use or theft of a password authorized for employees of the Ministry of Health. The alleged hack circulated on the social network Twitter last Saturday, exposing the private data of 44 people, and raised concern because it is the body that has the database of identities of the entire population of the country.
By this fact, the Renaper ffiled a criminal complaint before the Federal Criminal and Correctional Court No. 11 in which he specified that through the use of passwords granted to public bodies, images were leaked as belonging to personal procedures carried out at the Renaper. The agency, depending on the Ministry of the Interior, confirmed that it was an improper use of the user or theft of the password, but that the database did not suffer any data breach or leak. Now, employees of the health portfolio will be investigated.
“On Saturday, October 9, the Renaper learned that a Twitter user identified by the name of @aniballeaks – an account that was reported and is currently suspended – had published on said social network the images of 44 individuals, including there were officials and public figures of knowledge in general “, reported the Renaper.
The public body explained that its computer security team made a query on the 44 people involved in order to survey the latest consumption made through the use of the Digital Identity System (SID) on said profiles and detected that 19 images had been consulted at the same time they were published on the social network Twitter from an authorized VPN (Virtual Private Network) connection between ReNaPer and the Ministry of Health of the Nation.
The report from the Renaper computer security team specified that the connection, from an authorized profile, to consult the information that was disclosed as a hack occurred between 15:01 and 15:55 through the SID data validation service and “were immediately uploaded to the social network Twitter, without the consent of the Holder thereof“.
The agency “flatly ruled out” from the technical report that it was an unauthorized entry into the systems or a massive leak of agency data. “It was detected that an individual authorized user had improperly used the identity validation service for personal purposes through an authorized certificate from the Ministry of Health of the Nation,” insisted the body that, when presenting the complaint, requested that it be Investigate 8 Ministry of Health employees who had access to the password.