
Hundreds of thousands of future motorists had their personal details leaked online after over 400,000 Brazilian driver‘s license permits were left open in an unprotected storage bucket.
The Cybernews research team has discovered a trove of sensitive information in an unprotected Google Cloud Storage bucket containing over 400,000 records. Most of the leaked documents are the Licença De Aprendizagem De Direção Veicular, a Brazilian Learner’s Driving permit.
Such permits are issued to Brazilians who want to obtain a driver’s license. A “learner’s permit” grants wannabe motorists the right to operate a vehicle during driving lessons. According to the team, the bucket’s owner most likely is Centro de Formação de Condutores Free Alda, a São Paulo-based driving school.
Most of the exposed data is marked with a Detran insignia. Detran stands for Departamento Estadual de Trânsito (State Department of Traffic), a government agency responsible for regulating vehicle and driver-related matters. Each of Brazil’s 26 states has a separate Detran.
Since Cybernews researchers operate under strict ethical guidelines, the team could not investigate the complete dataset. However, at least some of the records were marked “detrains.sp,” a combination of letters used by Detran of São Paulo, Brazil’s most populated city.
We have reached out to the driving school for comment and will update the article once we receive a reply.

What data was exposed?
The leaked records exposed a trove of Brazilians’ personally identifiable information such as:
- Full names
- Photographs
- Addresses
- Government ID numbers
- Taxpayers’ numbers (CPF number)
- Details about the driving permit, including issue date and validity period
- User signatures
- IP addresses
- User phone models
While the exact number of exposed individuals is impossible to identify, most records seem to represent one individual, which could increase the number of people whose details were leaked to 400,000.
According to the team, documents related to obtaining the learner’s driving permits, such as certificates verifying that the individual has completed the required practical driving course according to the specified regulations and is now qualified to proceed to the next steps in obtaining a driver's license.
Long road to data safety
Researchers believe the leak most likely happened because the instance was misconfigured or lacked proper security measures. The team could not determine for how long the leak was publicly exposed.
However, the open bucket was discovered on June 2nd. As it was initially unclear who owned the data, Brazil’s CERT was contacted to assist in securing it.
CERT informed the team that the data most likely belonged to a school, which researchers later identified to be Centro de Formação de Condutores Free Alda. According to Brazilian authorities, driving schools in the country are private and act as intermediaries between individuals and Detran.
Even though CERT informed Cybernews that they reached out to the driving school behind the leak, the instance was still publicly accessible as late as September 19th. The bucket was only partly closed at the time of publishing – dedicated attackers could still access data stored there.
The team has also sent multiple emails to the driving school, informing them they have customer data exposed.
Meanwhile, the team believes that exposing the data could lead to privacy violations, identity theft, or misuse of personal data. Exposing personal details from the learner's driving permits poses a significant privacy risk to the affected individuals.
“The exposed data could be exploited by malicious actors for identity theft, fraud, or other illegal activities,” our researchers said.
Disclosure timeline
- June 2nd: bucket discovered
- June 10th: disclosure to CERT
- September 20th: disclosure to the company
- October 10th: listing disabled
Your email address will not be published. Required fields are markedmarked