Photo by Jan Kahánek on Unsplash
Yesterday, on 05/02/2022, I went to the São Paulo Cultural Center to return some comics I had borrowed from the Comic Book Library (Gibiteca). Upon arriving, anyone who wished to enter the library or Gibiteca had to present their identification so that they could record their CPF (Brazilian Social Security Number). The reason given was, 'We are currently experiencing technical issues, and we need to keep track of who is entering.' I just looked at the girl who was assisting us and shook my head in disapproval.
I completely understand the need to control access, but I must admit I felt quite uncomfortable becoming just another entry in that CPF record. However, I needed to return the overdue comic. After all, who knows who may have access to that record or how the data in it will be handled... I don't think anyone gave it much thought, and it seemed like the Brazilian General Data Protection Law (LGPD) was far from their minds. That's why I raised these concerns with them via email afterward.
-
Hello everyone, how are you doing?
I'm reaching out today because on 05/02/2022, I visited the São Paulo Cultural Center to return some comics I had borrowed from the Comic Book Library (Gibiteca).
To access the Gibiteca or the Library, they usually looked up our names in the system and granted entry. However, this time, the system was down, and the staff was using a notebook to record the CPF (Brazilian Social Security Number) of everyone who entered.
As a cybersecurity and privacy professional, this made me extremely uncomfortable, as that notebook is likely accessible to multiple individuals. Additionally, it raises the question of where and how this data is being stored and disposed of, as it contains our names and CPFs.
It is of utmost importance that you exercise caution when handling personal data in this manner. After all, if these CPFs fall into the wrong hands, they could be used for fraudulent purposes.
If you have any questions, I am at your disposal
-
Considering that no precautions were taken, what are the risks that all of us who had our names and CPFs recorded there face if this data falls into the hands of individuals with malicious intentions? It's almost certain that we could become victims of Identity Theft. These malicious individuals or fraudsters can impersonate us to gain an illicit advantage, such as making unauthorized purchases of products and services, applying for credit cards, or perpetrating other scams...
I hope that none of this comes to pass and that the Cultural Center takes the necessary actions. However, the reality is that this negligence in handling our personal data is still quite common, even after the introduction of the LGPD (Brazilian General Data Protection Law). It's up to us to remain vigilant and exercise our rights as data subjects with the ANPD (National Data Protection Authority), as I will do when encountering situations like this.