Pix key data from 87 thousand SumUp customers leaks onto the internet, reports BC

The Central Bank (BC) announced that the information linked to the Pix key of more than 87 thousand customers of SumUp, Sociedade de Crédito Direto, was leaked onto the internet, in the period between September 28, 2023 and March 16, 2024.

According to the BC, this leak revealed information on the user’s name, CPF with mask, relationship institution, agency and account number. Data protected by banking secrecy, such as balances, passwords and statements, were not exposed.

The BC pointed out that there was a security breach in the financial institution’s system that managed the data. All people whose information was exposed will be notified through the responsible institution’s own application or internet banking.

As highlighted by the Central Bank, these will be the only means of warning for the exposure of information. Any other means of contact must be disregarded, such as: telephone calls, SMS and notices via messaging applications and email.

According to the BC, the case will be investigated and sanctions may be applied. The legislation provides for a fine, suspension or even exclusion from the Pix system, depending on the severity of the case. O Instant payment system has become very popular in Brazil.

In a statement, SumUp said it had been informed of the incident by the Central Bank. “The company acted quickly to mitigate the situation, increase data protection and reduce the chances of the incident occurring in the future,” highlighted the statement.

This is the second notification from the Central Bank regarding the Pix key leak in a week. Last Monday, 46 thousand customers of Fidúcia Sociedade de Crédito ao Microempreendedor and Empresa de Pequeno Porte Ltd had information leaked.