Fintech FictorPay was the target of a cyber attack that embezzled R$26 million from customers last Sunday, the 19th. The attack was revealed by the website PlatôBRand confirmed by Broadcast (Grupo Estado’s real-time news system).
The attack occurred due to a leak of credentials from the software company Dilleta Solutions, which provides services for Fictor Group’s fintech.
Dilleta confirms that it was the victim of an invasion of its systems. The company communicates in a statement that it is collaborating with the police authorities to assist in the investigation of the incident and the identification of its perpetrator. According to sources, other Dilleta partners would have been affected and the total diverted would be at least R$40 million.
Take your business to the next level with the country’s top entrepreneurs!
FictorPay states in a statement that its systems were not directly affected. Celcoin, which provides bank as a service (BaaS) for FictorPay, also informs that the cyber attack was not directed at its structure. A bank as a service company provides technological infrastructure for companies that want to offer financial services.
On Sunday, Celcoin, alerted by the Central Bank (BC) itself, informed FictorPay of unusual movements in customer accounts, with outflows via Pix in higher than usual volumes.
The startup Dilleta was founded in 2014 by Michel Cusnir. The company was created within the State University of Campinas (Unicamp) and is currently based in the university’s Scientific and Technological Park. It has more than 110 employees and works with software and application development.
Limit for transactions via Pix
The attack over the weekend increased the BC’s concern about the value limit for transactions via Pix. The municipality is considering imposing a limit on the amount of operations for all institutions, not just those that use Information Technology Service Providers (PSTIs).
After attacks against financial institutions, the BC established in September a limit of R$15,000 for Pix transactions for unauthorized institutions or those that connect to the National Financial System Network (RFSN) via PSTIs.
A limitation on transactions for authorized institutions was already being studied by the municipality, and became urgent after last Sunday’s attack, according to people who follow the issue closely.
Continues after advertising
FictorPay is not a participant in Pix, and depends on other companies to access the system. However, the transactions carried out on Sunday did not come from PSTI, which means that they did not have to respect the limit of R$15,000 per transaction.
Celcoin – a company authorized by the BC and a direct participant in Pix – offered FictorPay integration into the payment system, in the model known as “Pix Indirect.” In practice, she served as the instant payments account holder.
