Cyber Incident Victim: SPTrans
Date:
Dec 2022
Location:
Brazil
Summary
A cybercrime incident targeting a public transport authority resulted in the exposure of registration data for Bilhete Único users, compromising sensitive personal information including names, identification numbers, addresses, contact details, and login credentials. The organization confirmed the breach, notified data protection and law enforcement authorities, and initiated a criminal investigation to identify the perpetrators. Affected individuals were instructed to change their passwords, though operational systems and card balances remained unaffected. Security measures were reinforced through collaboration with cybersecurity specialists, and transparency efforts included direct notifications to data holders via email where possible, alongside broader public communications.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On December 15, 2022, SPTrans identified a cybercrime targeting its systems that exposed registration data of Bilhete Único users. The compromised dataset consisted of approximately 13 million records containing personal information including full names, social names, dates of birth, CPF numbers, government IDs, residential addresses, telephone numbers, family affiliations, PIS numbers, student registration details, marital statuses, places of birth, genders, email addresses, and login credentials for the SPTrans service portal. Forensic analysis indicated the leaked information corresponded to a snapshot of user data from April 2020. The organization confirmed no operational disruption occurred to Bilhete Único cards, with all balances remaining intact and transport services functioning normally. SPTrans initiated formal legal procedures by notifying Brazil's National Data Protection Authority (ANPD) and filing a criminal report with the Cybercrime Division (DCCIBER) of São Paulo's Civil Police to investigate the breach's origins.
Following confirmation of the data exposure, SPTrans implemented a multi-channel notification strategy starting December 23, 2022, contacting affected users via email when valid addresses were available in their profiles. The communications instructed recipients to immediately change their portal passwords while clarifying no physical visits to service stations were required. Organizational response included strengthening technical security measures through engagement of specialized cybersecurity firms, aligning with Brazil's General Personal Data Protection Law (LGPD) requirements. Public awareness efforts extended to website announcements and planned social media campaigns to maximize reach beyond email notifications. SPTrans formally condemned the criminal act while acknowledging its impact on both the organization and citizens, maintaining operational transparency throughout the incident response without disclosing specific technical vulnerabilities exploited or attacker attribution details.