Learner driver data exposed in worrying breach - thousands affected

Brazilian driving school left major database unprotected online

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

A major Brazilian driving school appears to have exposed the sensitive information of up to 400,000 individuals after failing to properly secure acloud database.

Researchers fromCybernewsclaim to have found an unprotectedGoogleCloud Storage bucket containing information about Brazilian Learner’s Driving permits - Licença De Aprendizagem De Direção Veicular.

The learner permit is a document that the Brazilian government issues to people currently attending driving lessons, allowing them to drive a vehicle during lessons.Cybernewssays the archive is most likely owned by a driving school from Sao Paulo, called Centro de Formação de Condutores Free Alda.

Still available

Most of the exposed data carries a Detran insignia - which stands for State Department of Traffic (Departamento Estadual de Trânsito).

The researchers believe that up to 400,000 individuals have had sensitive data exposed this way, including full names, photographs, postal addresses, government ID numbers, taxpayers’ numbers, details about the driving permit, including issue date and validity period, signatures, IP addresses, and user phone models. This is more than enough to run all sorts of cybercrime, fromidentity theftto wire fraud.

The pros think the archive was either misconfigured, or not properly secured. It is impossible to determine for how long it remained open, or if anyone accessed it before they found it. TheCybernewsteam says they made the discovery on June 2, and that the school was subsequently contacted by Brazil’s CERT. However, as late as September 19, the archive was still open to anyone who knew where to look.

“The exposed data could be exploited by malicious actors for identity theft, fraud, or other illegal activities. Moreover, a breach of this type can undermine public trust in governmental agencies responsible for managing and protecting sensitive personal information,”Cybernewsresearchers said.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

A critical Palo Alto Networks bug is being hit by cyberattacks, so patch now

3 reasons why PIA fell in our best VPN rankings

Cybersecurity is business survival and CISOs need to act now