Learner driver data exposed in worrying breach - thousands affected

Brazilian driving school left major database unprotected online

· TechRadar

News By Sead Fadilpašić published 30 October 2024

(Image credit: Shutterstock)

A major Brazilian driving school appears to have exposed the sensitive information of up to 400,000 individuals after failing to properly secure a cloud database.

Researchers from Cybernews claim to have found an unprotected Google Cloud Storage bucket containing information about Brazilian Learner’s Driving permits - Licença De Aprendizagem De Direção Veicular.

The learner permit is a document that the Brazilian government issues to people currently attending driving lessons, allowing them to drive a vehicle during lessons. Cybernews says the archive is most likely owned by a driving school from Sao Paulo, called Centro de Formação de Condutores Free Alda.

Still available

Most of the exposed data carries a Detran insignia - which stands for State Department of Traffic (Departamento Estadual de Trânsito).

The researchers believe that up to 400,000 individuals have had sensitive data exposed this way, including full names, photographs, postal addresses, government ID numbers, taxpayers’ numbers, details about the driving permit, including issue date and validity period, signatures, IP addresses, and user phone models. This is more than enough to run all sorts of cybercrime, from identity theft to wire fraud.

The pros think the archive was either misconfigured, or not properly secured. It is impossible to determine for how long it remained open, or if anyone accessed it before they found it. The Cybernews team says they made the discovery on June 2, and that the school was subsequently contacted by Brazil’s CERT. However, as late as September 19, the archive was still open to anyone who knew where to look.

“The exposed data could be exploited by malicious actors for identity theft, fraud, or other illegal activities. Moreover, a breach of this type can undermine public trust in governmental agencies responsible for managing and protecting sensitive personal information,” Cybernews researchers said.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Contact me with news and offers from other Future brandsReceive email from us on behalf of our trusted partners or sponsors