Cyberattack on Brazil Tech Provider Disrupts Reserve Accounts of Several Financial Institutions
Brazil’s central bank revealed on Wednesday that C&M Software, a technology services provider catering to financial institutions without their own connectivity infrastructure, suffered a cyberattack targeting its systems. In response, the central bank ordered C&M to suspend access to the infrastructure it manages for these institutions.
Kamal Zogheib, C&M Software’s commercial director, confirmed the company was a direct victim of the attack, which involved fraudulent use of client credentials to try to access its services. Despite the breach, C&M said its critical systems remain intact and fully operational, with all security protocols activated. The company is working closely with the central bank and Sao Paulo state police as investigations continue.
Brazilian financial institution BMP and five other banks reported unauthorized access to their reserve accounts during the Monday attack. These reserve accounts, held directly at the central bank, are used solely for interbank settlements and are separate from client accounts, which were unaffected. BMP stated it has taken appropriate operational and legal measures and holds sufficient collateral to cover any impacted amounts, ensuring no disruption to its operations or partners.
An anonymous official indicated C&M services about two dozen smaller financial institutions, and the financial impact of the attack does not reach billions of reais. Another source confirmed no losses were sustained by clients.
The central bank refers to these affected entities as “financial institutions lacking their own connectivity infrastructure,” including many digital payment providers that have grown rapidly in Brazil. The Pix instant payment system, operated by the central bank since late 2020, has become the country’s most popular payment method, driving competition and innovation in the sector.