The leak was reported by the research group Data Group; so far, the group has revealed that Banco Pan customers had their documents digitized, such as their CPF (Brazilian taxpayer ID), CNH (Brazilian driver's license), and RG (Brazilian national ID). exposed on a server.

According to the news outlet, it was also possible to access proof of address, contracts, payment orders, statements, pay stubs, paychecks, and credit card information.

CPF (Brazilian individual taxpayer registration number), RG (Brazilian national identity card), CNH (Brazilian driver's license), proof of address, contracts, payment orders, statements, pay stubs, payslips, and credit cards.

There is no exact number of how many customers were exposed. "It's difficult to estimate a specific number of affected customers, since, due to the magnitude of the leak (and the disorganization of the files), it was not possible to count the number of consumers included in the incident," says The Hack.

The leak, by exposing the data, reveals all the financial characteristics of life for each client. It is possible to track monthly income and bank transactions, as well as check statements generated via internet banking.

According to the news outlet, four companies were identified in the leak, "different from the financial sector, all specializing in the retired, pensioner, military, and public servant population."

• Banco Pan was reportedly the most affected. According to the bank's press office, the server in question belongs to a business partner, but they were unable to provide the partner's name.

The Bank informs that the environment in question is not its property and that, after a thorough analysis of its security systems, no intrusion was detected. In its dealings with commercial partners, the Bank captures registration data of potential clients before the formalization of a transaction with the Bank, which takes appropriate measures if any misuse of this information is identified. It reaffirms that information security is one of its priorities, aligned with internationally recognized best practices and those required by regulatory bodies. Committed to society, it remains available to collaborate in the investigation of the facts.

All the documents were in an Amazon S3 (Simple Storage Service) bucket, a cloud storage service. As the publication notes, the problem wasn't a vulnerability in the bucket: it was public, open for anyone to access.