A cyberattack targeting Brazil-based C&M Software, a key technology provider for financial institutions, has raised fresh concerns about cybersecurity in the fintech sector. According to a statement from Brazil’s central bank, the breach impacted reserve accounts of several smaller institutions that rely on C&M for critical infrastructure connectivity.
C&M Software Confirms Cyberattack
C&M Software, which serves roughly two dozen small financial institutions in Brazil, confirmed it was the direct victim of a cyber intrusion. The company stated that the attackers attempted to fraudulently use client credentials to gain access to its systems. “Critical systems remain fully operational, and all security protocol measures have been activated,” said Kamal Zogheib, Commercial Director at C&M Software.
The company is actively cooperating with Brazil’s central bank and Sao Paulo state police as investigations continue.
Brazil Central Bank Orders Access Suspension
In response, the central bank ordered C&M to suspend access for all financial institutions connected to its infrastructure. While the exact scope of the attack remains unclear, the regulatory body emphasised that the incident affected institutions that lack their internal connectivity infrastructure.
These are typically digital payment institutions, which have become prominent in Brazil’s financial ecosystem, particularly since the rise of the Pix instant payment system launched in 2020.
BMP Confirms Reserve Account Breach
One of the affected institutions, BMP, told Reuters that unauthorised access occurred in its reserve account at the central bank during the incident on Monday. BMP clarified that:
- The breach had no impact on customer accounts
- The compromised account is used exclusively for interbank settlements
- BMP maintains sufficient collateral to cover the impacted funds
- No harm was caused to clients, operations, or partners
Investigation and Scale of Impact
A source close to the investigation, speaking anonymously, confirmed that no client losses have been reported. While the full financial impact is still being assessed, the amounts involved do not reach billions of reais, easing fears of a widespread financial threat.
Background: Brazil’s Growing Fintech Ecosystem
Brazil’s financial landscape has experienced rapid digital transformation, with fintechs and digital banks filling market gaps left by traditional institutions. Many of these rely on third-party service providers like C&M Software to operate in Brazil’s modernised payment ecosystem.
The Pix system, developed and operated by the central bank, has played a central role in this shift, quickly becoming Brazil’s most-used payment method since its 2020 launch.
Conclusion
While the cyberattack on C&M Software did not disrupt Brazil’s financial system at scale, it underscores the rising risks associated with outsourced financial infrastructure. As digital banking continues to grow in Brazil, ensuring strong cybersecurity frameworks across all partners—especially those serving smaller institutions—will be critical.
