✓ verbatim from the press ? no verbatim passage
Data from 2.8 million Social Security numbers (CPFs) leaked in April — 98.2% from deceased persons and 52,151 from living individuals. The Social Security Technology and Information Company (Dataprev) confirmed the figures this Tuesday (26) at a National Social Security Council (CNPS) meeting, one month after the incident. ✓
Press quotes (1)
"Em reunião do Conselho Nacional de Previdência Social (CNPS) realizada nesta terça-feira, 26, a Empresa de Tecnologia e Informações da Previdência (Dataprev) informou que o vazamento de dados de segurados do INSS, no último dia 22 de abril, atingiu 2,8 milhões de CPFs no total, a maioria (98,2%) de cidadãos falecidos."
The breach was discovered by Dataprev on April 22, 2026, but the National Data Protection Authority (ANPD) was only notified by INSS five days later, on April 27 — according to ANPD's own statement following Folha's reporting on the case. ✓
Press quotes (1)
"Nesta sexta-feira (22), após a divulgação da reportagem, a agência emitiu nova nota informando que foi comunicada do incidente de segurança pelo INSS em 27 de abril."
According to Edmar dos Santos Ferreira Junior, Dataprev's representative at the meeting, the incident lasted only one day and was quickly identified. The flaw occurred in the Meu INSS app's query service. For affected living persons, the sensitive data exposed was birth dates — for the deceased, cause of death was not leaked. ✓
Press quotes (1)
"O representante da Dataprev na reunião, Edmar dos Santos Ferreira Junior, informou que o incidente ocorreu durante um dia e foi identificado logo. "Não há vulnerabilidade", afirmou. Ele ainda disse que, no caso dos falecidos, não foi vazado o motivo da morte. Segundo ele, o dado sensível exposto foi a data de nascimento das 52.151 pessoas vivas."
Breach affected 2.8 million CPFs, with 98.2% from deceased persons
Covered by only some sources, or where the accounts diverge.
Covered by only some sources (1)
ANPD was notified 5 days after breach discovery
-
Is there independent audit confirming the scope of 2.8 million leaked CPFs?
Why it's still unknown: CGU, INSS and Senacon have not published official statements on independent verification of numbers reported by Dataprev
Did not cover: Cgu -
Why did ANPD notification take 5 days after discovery?
Why it's still unknown: INSS has not publicly explained the reason for delay in communicating the incident to ANPD
Did not cover: Inss -
What is the formal status of ANPD's investigation into the case?
Why it's still unknown: ANPD's public incident registry or formal CIS process number were not found in public search