Brazil’s central bank announced on Wednesday that C&M Software, a tech services provider supporting financial institutions without their own connectivity infrastructure, has fallen victim to a cyberattack. The bank did not disclose specific technical details but stated that it instructed C&M to suspend access for financial institutions to the infrastructure it manages.
C&M Software’s commercial director, Kamal Zogheib, confirmed the breach, explaining that the company was directly targeted. He said the attackers attempted to exploit client credentials to gain unauthorized access to the company’s systems and services. “The company was a direct victim of the cyberattack,” Zogheib said, adding that critical systems remain secure and operational. He also emphasized that all appropriate security protocols had been activated and that C&M is working closely with the central bank and São Paulo state police during the investigation.
Brazilian financial institution BMP informed Reuters that it, along with five other institutions, experienced unauthorized access to their reserve accounts during the incident, which occurred on Monday. According to BMP, the compromised accounts are held directly with the central bank and are exclusively used for interbank settlements. The bank clarified that customer accounts and internal balances were not impacted.
BMP assured that it has taken all necessary legal and operational measures in response to the breach. “We hold sufficient collateral to fully cover the impacted amount, without any harm to our operations or business partners,” the bank stated.
A source familiar with the investigation, speaking anonymously, revealed that C&M provides infrastructure services to approximately two dozen smaller financial institutions. The source noted that the financial sums involved in the breach are not believed to reach into the billions of reais. Another individual close to the matter confirmed that clients did not suffer any financial losses.
The central bank’s reference to “financial institutions lacking their own connectivity infrastructure” largely pertains to digital payment institutions, a fast-growing segment in Brazil’s financial sector. Innovations like Pix—an instant payment platform launched by the central bank in late 2020—have driven rapid adoption and increased competition in the market. Pix has since become the country’s most widely used payment method.
