Mário Cruz / Lusa
45 people were arrested on Wednesday by the Judicial Police (PJ), by Burla Informática to hundreds of direct social security users. The searches were done in Lisbon, Porto, Coimbra, Setúbal and Bragança.
A PJ stopped 45 people in the context of an investigation of derision that damaged hundreds of users of the Direct social security.
At issue is the deviation of social benefits to the suspects’ bank accounts.
According to the statement issued by the PJ, the inquiry is held by the Central Department of Criminal Investigation and Action (DCIAP) and under the “Operation Constellations”, the National Unit to Combat Cybercrime and Technological Crime (UnC3T), today, were held 51 home searches in Lisbon, Porto, Coimbra, Setúbal and Bragança.
Megaburla through Social Security
According to the Judicial Police, since June 2024 the suspects were able to access to personal accounts of at least 531 users of the direct social security service and change the IBAN.
“According to the investigation developed, at least since June 2024, the organization, consisting of several groups with connections with each other, was able to access illegitimately to the personal accounts of hundreds of direct social security service and to change the IBAN that was registered for the receipt of different social benefits (pension of old age, unemployment allowance, illness allowance, social income and family allowance) They were transferred to bank accounts controlled by the suspects, ”explained the PJ.
However, this is not yet identified.
The 45 detainees are “strongly indicted” by Crimes of criminal association, computer scam, computer falsity and illegitimate and improper access and the damage to the 531 victims identified so far“Many of them especially vulnerable, who needed those income for their survival,” is cheered at 228,000 euros, according to the amounts already cleared.
Among detainees are 35 men and 10 women, between 18 and 39 years oldwhich will be present to the competent judicial authority in the Public Prosecution Service.
Social Security was in check
The failure was detected in September 2024, when the system identified an abnormal standard: IBAN change requests They appeared every four minutes. Many beneficiaries reported changes that they had not requested, leading to a temporary suspension of this functionality on the site.
The breach raised questions about the origin of the data used, if it would be from previous attacks or Dark Web, where social security information was found for sale.
Social Security confirmed that 90 complaints were receivedinvolving about 60 thousand euros. In response, since October 1, 2024, it has been mandatory to present in person to change bank data. The institution said it was developing measures to reinforce security in the IBAN update process on the site.
Investigations also consider other forms of misconduct, such as phishing, and do not rule out possibility of internal involvement. In 2022, Social Security was the target of another cyberataque, whose objective would be the destruction of data.
At the time, it was denied that data from citizens had been compromised, but a data exhibition of 14 thousand workers was confirmed in January 2023.
The impact of the recent security failure led to Sérgio Carvalho ResignationPresident of the Institute of Informatics, a few days after the discovery of the problem.
