Thiago Ayoub, Chief Technology Officer, Sage Networks, recommends: As a precaution, who uses the same password on the Americanas, Submarino, or Shoptime website as on other websites or services that you change. this is In the event of a data leakThis was not confirmed by the company.
“This episode is a lesson in the risk people take when reusing passwords. If a consumer uses the same password registered in Americanas or in Submarino in other systems and services, they shouldn’t consider that password secure,” says Ayoub.
“else precautionary The one we all have to take is Watch out for suspicious messages. We can assume that any data shared with Americana [caso tenha havido algum vazamento]They can be used for fraud in the future,” warns the specialist in developing digital security tools.
“Be suspicious even if you get a letter with your name, email, and address correct, telling you some kind of unknown fee,” says Ayoub.
Procon Carioca asks for explanations
On Monday afternoon, the Municipal Institute of Consumer Protection and Defense (Procon Carioca) notified Americana to provide information about defects in its virtual stores. The company has 20 days to report the case to the institute.
“Given that US e-commerce stores are visited by thousands of people daily and with the aim of investigating possible violations of consumer rights, Procon Carioca launched the preliminary investigation,” explains Igor Costa, executive director of the institute.
In Brazil, information about attacks on private networks is usually limited to what companies disclose.
General Data Protection Act (GDPR)General Data Protection Regulation), which has imposed rules on the use of personal data by Brazilians, stating that they must notify their customers and the National Data Protection Authority (ANPD) about a “security incident that may cause significant risk or harm to data subjects”.
The law does not clearly state who is responsible for this assessment, nor what characterizes “related risk or harm.” Today, the analysis is carried out by the victim company itself.
“The thing that catches the eye is the difficulty they face [o time da Americanas S.A.] I had to go up to a warning page [nos sites, sobre a indisponibilidade]. Which makes us assume that the task of the security team at Americana is greater than the speed with which they were able to deal with the situation,” assesses Ayoub.
Online store websites started experiencing instability last Saturday (19), when The company stated that it had identified “improper access” and said there was “no evidence of database breaches.”. The next day, the pages downloaded again and were not restored until the last update of this report.
Until the end of the morning of Monday (20), whoever tried to enter found the message “DNS Error”, which means that the “address” of the page was not available. (see below).
DNS failure on Lojas Americanas website – Image: Reproduction
Only at noon did a notice appear by Americana about the unavailability, with no information other than what had already been disclosed by the group’s press office. The same message came a little later on the Submarino website.
A notice on the Americanas website about the instability of the sites – photo: cloning
Other Cases of Crashed Websites
Kind of attacks that have increased in recent years in the world is the so-called ransomware, where the virus “locks” information from systems and prevents access to it. The criminals then demand a ransom payment to provide a password that unlocks the data.
This is what happened to JBS, the world’s largest meat processor, in May last year. An attack of this nature disrupted its operations in Australia, Canada and the United States. The case was revealed because the FBI continued to investigate it and confirmed that it was ransomware. The company said it paid $11 million in ransom for pirates.
Situations of sites that have lost their Internet connection, such as fluorescent networkDiagnostic Medicine, also in 2021, and Renner Storesthat same year, it was not confirmed by companies or authorities as ransomware or another type of hacker attack.
In December, the platform that collects information on cases and deaths due to Covid-19, and Notify e-SUSIt was down for 11 days due to a hacker attack. The ConectSUS page, which is responsible for issuing the national Covid-19 vaccination certificate, was also offline.
The Lapsus $ Group claimed responsibility for the attack. During the first hours, a message appeared on the websites of the Ministry of Health and ConectSUS that “Contact us if you want data recovery”.
The case is being investigated by the Federal Police and the Institutional Security Office.
“Music fanatic. Very humble explorer. Analyst. Travel fanatic. Extreme television teacher. Gamer.”