Mário Cruz / Lusa
The investigation is in the hands of the PJ and at least 6000 social security beneficiaries were affected. The authorities do not rule out the possibility of internal involvement.
According to the at least 6000 beneficiaries were affected For a security failure on the Direct Social Security website (SSD), which allowed improper changes to IBAN.
Although the entities involved have not confirmed the exact number of affected, it is estimated that the diverted values reach tens of thousands of euros. The case is under Judicial Police Investigation (PJ), with suspicions that the action has involved a bot and use of VPN to hide the origin of the attack.
The failure was detected in September 2024, when the system identified an abnormal standard: IBAN change requests They appeared every four minutes. Many beneficiaries reported changes that they had not requested, leading to a temporary suspension of this functionality on the site.
The breach raised questions about the origin of the data used, if it would be from previous attacks or Dark Web, where social security information was found for sale.
Social Security confirmed that 90 complaints were receivedinvolving about 60 thousand euros. In response, since October 1, 2024, it has been mandatory to present in person to change bank data. The institution said it was developing measures to reinforce security in the IBAN update process on the site.
Investigations also consider other forms of misconduct, such as phishing, and do not rule out possibility of internal involvement. In 2022, Social Security was the target of another cyberataque, whose objective would be the destruction of data. At the time, it was denied that citizens data had been compromised, but an exhibition of 14,000 workers was confirmed in January 2023.
The impact of the recent security failure led to Sérgio Carvalho ResignationPresident of the Institute of Informatics, a few days after the discovery of the problem. Authorities, however, continue to investigate the incident.
