Cyberattack at SPTrans System in Sao Paulo Exposes Data of 13 Million Riders

April 6, 2023


On December 15, 2022, SPTrans became aware that its systems had experienced a cyber-attack resulting in the leak of personal
data of 13 million users of Bilhete Único, the public transportation card of the city of São Paulo. The Bilhete Único cards remain active and the respective balances are preserved , with no losses in the credits used in the transport service.

The exposed data is from the month of April 2020 and include social name, birth date, Individual Taxpayer Registration (CPF), national ID card, address, phone number, email, student’s enrollment, among others. The Cyber Crimes Division (DCCIBER) of the Criminal Investigations Department (DEIC) of the São Paulo State Civil Police has been notified among others, so that a criminal investigation can be initiated to verify the authorship and origin of the leak.

Incident Date

December 15, 2022



Estimated Cost

No cost values disclosed.

Type of Malware

No Malware identified

Threat Source

No threat source identified