A new bank alert has raised concerns about digital security in Portugal again. Caixa Geral de Depósitos (CGD) has recently sent communication to several customers, confirming the detection of a security incident that may have exposed sensitive data. The bank’s warning arises a few days after a similar case was reported by Activobank, raising questions about the robustness of a system used by several banks in Portugal.
In the messages sent, the bank reported that some customers had their data obtained “illicitly, by means of beyond the Caixa Geral de Depósitos.” Exposed information will be account numbers and IBAN, associated only with the number of mobile phone number.
Despite the severity of the situation, CGD has made a point of stressing that the incident “does not result in or will result in any financial loss”, ensuring that banking services remain righteous and operational. Still, the episode generated apprehension among customers.
What is in question?
According to Tugatech Digital Technology Forum, vulnerability may be related to the SPIN system, a platform created by Banco de Portugal in 2024 to simplify transfers. The goal was to allow them to be made only with the recipient’s mobile phone number, without the need to share IBAN.
Attackers will have exploited the verification mechanism, simulating transfers to associate telephone numbers with the names of holders and their Ibans. A bitter irony, as the system was designed precisely to protect the most sensitive data.
According to the same source, CGD did not officially confirm that the failure originates from the SPIN, but the similarities with the case previously reported by Activobank make the hypothesis difficult to ignore. For now, there is no indication that other banks have communicated similar flaws.
The risk of social engineering
The main danger is not in direct access to money, but in the use of data exposed in fraud schemes. In possession of IBAN and other validation elements, criminals may contact victims pretending to be bank employees and thus obtain more critical information such as access codes or passwords.
This type of attack, known as Social Engineering, has been increasing in Portugal. Fake SMS cases, emails with fraudulent links or telephone calls that mimic lines of customer support are common. Having IBAN in hand is another way of reinforcing the credibility of the burla.
CGD recalls that customers should never provide personal data by telephone, SMS or email, even if the interlocutor presents itself as a bank representative. The same applies to codes sent by message, which should only be introduced into the official app or on the institution’s website.
Security Recommendations
Good practices reinforced by CGD include three central points: Do not click on links received by unreserved messages, do not perform operations on ATMs at the request of third parties, and never provide authentication elements outside the official channels.
The bank also advises customers to activate movement alerts in the app, which allow you to receive real -time notifications whenever there is a transaction. This simple measure can make a difference to quickly detect any attempted fraud, according to the.
This type of attacks not only exploit technical failures, but human lapses, such as confidence in unexpected phone calls or haste to respond to alarmist messages.
The National Data Protection Commission (CNPD) may come to evaluate the case as it involves processing and exposure of personal data. In similar situations, the entity has already applied sanctions to institutions that have not guaranteed adequate levels of information protection.
This episode arises in a context where the digitization of banking services advanced rapidly in Portugal. The convenience of transferring money using only the mobile phone number has brought advantages, but also new risks that now start to become more visible.
A warning for the future?
More than a punctual problem, this case reminds you that no system is totally immune to flaws. Banks, regulators and customers need to be alert to ensure that digital innovation does not open the way to new forms of fraud.
For customers, the rule is clear: maintain vigilance, always confirm the communications received and distrust any request for personal data. The future of the digital bank is confident, but this confidence is only built with transparency and security.
Also read:
