Oct 21, 2025

How third-party cyber risk management could have mitigated banking incidents in Brazil

In July of 2025, the Central Bank of Brazil disclosed that hackers had infiltrated C&M Software, a banking services provider. As the system managed the settlement accounts of at least six banks, the criminals were able to make several transactions to siphon out over R$813 million (around $150 million).

Only two months later, in September, another services provider, Sinqia, was targeted. Once again, hackers made several transactions, stealing around R$400 million (or $75 million) from Sinqia's clients. Around the same time, a third incident was made public, with Monbank losing R$4.9 million ($900,000).

While Brazilian media is now reporting on two new incidents, details are still limited. However, given the involvement of service providers and the potential for third-party cyber risk management (TPCRM) to mitigate (or even prevent) similar events in the future, it's worthwhile to look at what we already know about these first three incidents.

The three incidents

In the first incident, police investigations showed that hackers bribed a man who worked at C&M Software. After being arrested, he admitted that the criminals paid a total of R$15,000 (a little less than US$3,000) for privileged credentials and technical information on the workings of the Pix system.

Pix is an instant payment and transaction system operated by the Central Bank of Brazil. Brazil already had a digital transaction system called TED when Pix was introduced in 2020, but the new system added several features, such as 24/7 availability and the option to link bank accounts to phone numbers or email addresses.

To support this, financial institutions keep a settlement account (or "reserve account") that is used to clear transactions within the Central Bank's infrastructure – the SPI (Instant Payment System).

For many Brazilians, Pix works just as well as debit cards for payments, since transactions are both fast and free (or very cheap). It's also often the easiest way to send money to friends or family. For fintech startups, Pix has become a gateway to the banking market, as they can connect indirectly to the infrastructure through other banks and specialized providers.

Unfortunately, Pix's speed has also been exploited by criminals, who either trick account holders in online and phone scams or outright kidnap and coerce them to transfer money to the criminal's account. In response, the Central Bank of Brazil created a process to reverse transactions, as well as other security checks. Financial fraud is a challenge in the country, but this activity has mostly targeted consumers, not banks.

That's why the attack against C&M was different. Financial institutions can connect to the Pix infrastructure directly or through an accredited IT services provider, depending on their size and regulatory status. C&M is one of eight such providers. At the time of the incident, C&M was working with at least six banks.

Once inside the system, the hackers were able to funnel the money in the reserve accounts to numerous other accounts, many of which were associated with legitimate businesses. These accounts were likely compromised or created before the heist, as it's safe to assume most of them were under the control of the hackers.

While this activity triggered security locks on certain accounts, and the perpetrators probably lost control of a few others before they could move the funds, some of the money was eventually converted into cryptocurrency. Investigations are ongoing, and only the employee has been found by police so far.

BMP is the most well-known victim of this first breach, though Banco Paulista, Credsystem, and Carrefour have also confirmed they were affected. There has been significant speculation regarding the total amount stolen, but recent media reports say law enforcement estimates put the figure at R$813 million.

The second breach against Sinqia/Evertec (Evertec acquired Sinqia in 2023) is actually a fourth-party incident from the perspective of the banks. The company has stated that the hackers used credentials belonging to an IT services provider, meaning that the incident likely began at a third party of a third party. Everything else follows the pattern seen in the C&M cyberattack, with HSBC and Artta being the main victims in this case.

Little is known about the third incident. According to Monbank, which was apparently directly targeted, only R$200,000 of the R$4.9 million stolen were not immediately recovered. It is unknown if any third party was involved, but the incident is otherwise very similar to the other two, given that the hackers once again accessed the systems responsible for interbank transfers. In other words, more copycat attacks could follow, and financial institutions should remain vigilant.

Why third-party risk management is needed

Given that only accredited IT providers can connect to the Central Bank's payments infrastructure, banks and financial institutions might think that they don't need to manage the risks associated with these third parties, or that they don't have to be as strict about their cybersecurity. As the incidents showed, this reasoning is dangerous.

Third parties often do not compensate their clients for losses. This appears to be true here: one of the victims, Artta, has publicly disclosed that it will bear most of the losses stemming from the incident, unless an agreement is reached in the future.

The business risk and the assets all belonged to the financial institutions, so they're doing the heavy lifting in the aftermath, even if they were not directly at fault.

In response to the incidents, the Central Bank of Brazil adopted new requirements for accredited providers. While the new guidelines do close a few gaps, both technical and financial (such as insurance), they do not replace each institution’s risk management processes. 

The yearly assessments required by the Central Bank of Brazil can help make sure that each accredited provider is prepared to implement cybersecurity processes and respond to incidents. Ensuring that such processes are followed through on, however, is a daily battle. That's why businesses should monitor critical third parties continuously.

Strict regulations can stifle innovation, so creating and enforcing IT regulations is a balancing act for government bodies. They usually aim for a baseline level of security to avoid systemic risks that could collapse the entire sector, but without overreach. As such, it's up to each business to manage its risks and build the best strategy to do so.

Certifications and audits like SOC 2 are not enough to manage the particular risks that exist in each industry, especially when such assessments are partially controlled by the third party itself. Monitoring external infrastructure would not have helped in the C&M and Sinqia incidents either, since internal credentials were used in both cases.

Instead, businesses should look inside their third parties' IT infrastructure. Partners should not be seen as strangers. Once a business connects to a third party, the result is a shared ecosystem that should be protected cooperatively by both.

Outsourcing is not the enemy

The advantages of outsourcing IT infrastructure are many, since businesses can rely on third parties to implement new features or functionality faster, given that they will often have several clients with similar needs.

The same is true in the banking sector. The Pix system in Brazil has seen several updates, and banks might understandably look for a trusted provider to complement their existing infrastructure by covering their blind spots or offering redundancy.

However, outsourcing an activity does not outsource the risk. A contract cannot guarantee appropriate restitution if the third party is unable to pay, for example. Cybersecurity incidents also lead to reputational damage, and the ensuing losses can be difficult to measure.

That is why it's better to adopt a more hands-on approach, especially with the third parties that are most critical to the business. Yearly cybersecurity check-ups are not enough when hackers can exploit an unpatched vulnerability within days or even hours.

The latest Verizon Data Breach Investigations Report (DBIR) found that 30% of all breaches (incidents with data loss) involved a third party. This should not be seen as evidence that outsourcing is risky, but that businesses are not taking the right approach to ensure their third parties are secure. This is not an ask-and-forget problem, but a continuous process, just like every effort in cybersecurity.

IT providers are at their best when they build elegant and scalable systems that meet the needs of all their clients. In the same vein, third parties have the potential to be very cooperative and transparent – but companies must ask for it and seek the appropriate solutions to make it a reality.

Share
Latest Posts
Inside-out vs. outside-in monitoring in third-party risk management: understanding the differences
Read more
How continuous monitoring for third-party risk management helps your incident response
Read more
Tenchi’s Essence: Who We Are and How We Grow
Read more