Lawrence Abrams reports:
A misconfigured server exposed the taxpayer identification numbers, or Cadastro de Pessoas Físicas (CPFs), for 120 million Brazilian nationals for an unknown period of time.
Before a Brazilian national can perform many tasks such as opening a bank account, creating a business, paying taxes, or getting a loan, they must first apply for a Cadastro de Pessoas Físicas. Similar to the U.S.A. Social Security Number, a CPF number become associated with an owner’s financial and personal information and is obviously a risk if they are publicly exposed.
According to new research by InfoArmor, an Apache web server was discovered in March 2018 that was not properly configured and thus exposed data archives that were stored on it.
[…]
While InfoArmor was never able to determine who owned the database, they were able to contact who they think was the hosting provider. Finally, by the end of March the directory was secured and the files was no longer available.
It is not known if any other researchers, or criminals, had discovered the data before it was taken offline. What is concerning is why data such as this was on a third-party server in the first place.
Read more on BleepingComputer.
Update: The InfoArmor report can be found here.