C&M is a technology company that connects banks and fintechs to the Central Bank system, including Pix. During the attack, criminals used customer -leaked passwords to break into company systems and access financial institution reserve accounts – where banks leave money to comply with BC rules. At least six institutions were affected.
On Wednesday (2), after being warned by the company about the crime, the Central Bank determined the total suspension of C&M activities as a protection. With the implementation of new security barriers and audits, the BC authorized the partial operation of the company.
Operations, for now, can only happen on working days from 6:30 am to 6:30 pm, and depend on the authorization of each C&M partner financial institution. The Central Bank also determined reinforcement in fraud monitoring and control of moved values.
C&M states that its main systems continue to function normally and that it is collaborating with the authorities. The company classified the attack as a criminal action and said it reinforced internal controls and communication with affected customers.
Despite acting on the Pix system, the Central Bank reported that there was no deviation of money in instant transactions. The affected resources were in the reserve accounts maintained by financial institutions in the BC itself, not in common PIX operations.
