The Central Bank of Brazil (BC) reported on Wednesday (02/07) that C&M Software — a technology company that connects financial institutions to the BC — had been the target of a cyberattack on its digital infrastructure. C&M Software (CMSW) provides services that integrate smaller banks with the BC’s PIX payment system. Following the incident, the BC ordered the immediate disconnection of all institutions connected to C&M from the systems operated by the company.
This Content Is Only For Subscribers
To unlock this content, subscribe to INTERLIRA Reports.
The Case
C&M Software informed the Central Bank that its systems had suffered a cyberattack. The breach enabled unauthorized access to the reserve accounts of at least six financial institutions using their services. These reserve accounts hold the funds that banks are required to maintain at the Central Bank to fulfill financial obligations. They are also used to enable financial institutions to engage in operations with the BC, such as liquidity loans, public securities investments, and mandatory deposits.
Who Was Affected?
The BC has not yet released the full list of affected institutions. However, one confirmed victim is BMP, a company that provides digital banking infrastructure and is a client of C&M Software. BMP publicly acknowledged the incident in an official statement.
How It Happened
According to C&M Software, the unauthorized attackers gained access by misusing customer credentials to enter its systems fraudulently. Through this access, they were able to infiltrate the financial institutions’ reserve accounts and potentially obtain other sensitive information. The attack is classified as a “supply chain attack,” a method in which cybercriminals exploit third-party service providers using privileged credentials to carry out unauthorized financial operations.
Impact
While the affected institutions have stated that customer accounts and data were not compromised, cybersecurity experts are warning of the broader implications for the financial system. The estimated financial damage amounts to R$800 million. According to experts, the case involves three major concerns:
- Reputational Impact: The exposure of companies using C&M Software’s services has damaged their credibility.
- Systemic Risk: The attacks underscore vulnerabilities in privileged access management and the security protocols of the financial technology supply chain.
- Operational Consequences: The incident reveals an urgent need for institutions to reassess and strengthen their system access controls and cybersecurity frameworks.
Analysis:
The recent cyberattack targeting C&M Software exposes a critical vulnerability in Brazil’s financial infrastructure, particularly in the systems that connect smaller institutions to the Central Bank’s PIX network. As a classic example of a supply chain attack, the incident demonstrates how third-party service providers, often trusted and deeply integrated into the core operations of financial institutions, can become vectors for serious breaches.
From a cybersecurity governance perspective, the case highlights the systemic risks posed by overreliance on intermediaries without adequate segmentation or multi-layered protection. The fact that attackers could use customer credentials to access sensitive systems highlights gaps in identity verification, session monitoring, and endpoint protection.
Looking ahead, this incident should prompt not only an internal audit among financial institutions but also a broader regulatory dialogue led by the Central Bank. It is essential to enforce strict compliance requirements for fintech vendors and prioritize the development of real-time threat detection and incident response protocols. As Brazil continues to expand its digital financial infrastructure, safeguarding trust in systems like PIX must go hand in hand with stronger risk management practices and shared accountability across the financial supply chain.
Source: G1 [1] [2] [3], O Globo [1] [2], Metrópoles e TecMundo.
