The breach allows threat actors to perform identity theft, phishing campaigns, and extortion targeting the individuals affected. The exposure of medical records specifically increases the risk of spear-phishing and blackmail. Additionally, CIEE faced potential legal repercussions under Brazil’s Lei Geral de Proteção de Dados (LGPD) for failure to secure user data. 5. Security Recommendations
Full names, contact details, and addresses. 486k_brazil.txt
Regularly verify that cloud buckets (AWS S3, Google Cloud Storage) are not set to "public" by default. The breach allows threat actors to perform identity
This paper outlines the findings regarding a major data breach involving CIEE, a prominent Brazilian organization focused on student integration into the workforce. In July 2025, security researchers identified a publicly accessible Google Cloud Storage bucket containing approximately 28 GB of data, including over 248,725 records (initially) of PII (Personally Identifiable Information). The breach exposed highly sensitive information, including Brazilian CPF identifiers, medical reports, and internal records, with a potential exposure count increasing upon deeper investigation. 1. Introduction This paper outlines the findings regarding a major
Restrict access to sensitive data based on least-privilege principles.
Brazilian individual taxpayer numbers (Cadastro de Pessoas Físicas).
The exposed data posed a severe risk to victims due to its detailed nature. The contents included: