A photo taken at Bank A's counter was traveling through Bank B's systems
No coração do sistema financeiro brasileiro, uma disputa entre empresas de tecnologia revelou o que autoridades descrevem como o maior roubo de dados biométricos do país — um esquema que teria comprometido os registros de identidade facial de 22 milhões de cidadãos sem o seu conhecimento ou consentimento. A Unico acusa a Serasa de ter desviado consultas de reconhecimento facial por canais exclusivos do Banco do Brasil, alimentando sistemas concorrentes com dados que nunca lhe pertenceram. A Serasa, subsidiária da britânica Experian, nega veementemente as acusações. O caso coloca em evidência uma questão que transcende o jurídico: até onde vai a invisibilidade dos dados que carregamos no próprio rosto.
- Investigadores federais cumpriram mandado de busca na empresa Skill, desencadeando uma investigação que aponta para o maior vazamento biométrico da história do Brasil.
- Imagens faciais capturadas em agências bancárias específicas — com o logotipo do banco visível ao fundo — foram identificadas circulando em sistemas de instituições completamente diferentes, sem qualquer autorização.
- Grandes bancos como Inter, BTG e Itaú confirmaram ter recebido consultas irregulares da Serasa e da ClearSale — transações que jamais autorizaram e sobre as quais nada sabiam.
- A Unico estima que 1,4 milhão de transações fraudulentas identificadas são apenas a ponta do iceberg de um esquema que teria afetado os dados de 22 milhões de brasileiros.
- A Serasa, avaliada como parte de um grupo de £23 bilhões, refuta as acusações e alega sigilo judicial como razão para não detalhar sua defesa, enquanto o setor de fintechs aguarda os desdobramentos com atenção.
Em uma manhã de quarta-feira, investigadores federais chegaram à sede da Skill, uma empresa de tecnologia, com um mandado de busca. O que encontraram lançaria suspeitas sobre a Serasa, uma das maiores empresas de dados do Brasil, num esquema que teria comprometido os registros biométricos de 22 milhões de pessoas.
Tudo começou com um contrato. A Unico, líder brasileira em identificação biométrica, havia concedido à Skill direitos exclusivos de uso de seu software de reconhecimento facial em nome do Banco do Brasil. Mas a exclusividade teria sido violada: segundo a investigação da Unico, a Skill estava redirecionando consultas da Serasa e da ClearSale pelo mesmo canal reservado ao banco, permitindo que essas empresas fortalecessem seus próprios sistemas com dados aos quais não tinham direito.
A Unico percebeu a anomalia quando o volume de requisições atribuídas ao Banco do Brasil crescia sem correspondência com o movimento real do banco. Ao mesmo tempo, clientes que migravam para concorrentes revelaram algo perturbador: a equipe comercial da Serasa afirmava estar usando a tecnologia da própria Unico. A empresa contratou investigadores forenses independentes, que descobriram um padrão sistemático — imagens faciais captadas em agências de um banco circulando nos sistemas de outras instituições. Foram identificadas ao menos 1,4 milhão de transações fraudulentas. Inter, BTG e Itaú confirmaram ter recebido consultas irregulares sem jamais tê-las autorizado.
A Unico estima, porém, que o alcance real chega a 22 milhões de brasileiros. Cada consulta não autorizada, além de expor dados pessoais, treinou os sistemas de inteligência artificial da Serasa com informações roubadas — uma contaminação que, uma vez incorporada a anos de base de dados, torna-se praticamente impossível de reverter. A empresa investiu centenas de milhões de reais na infraestrutura que a tornou líder de mercado, com valuation de US$ 2,6 bilhões.
A Serasa, pertencente à britânica Experian desde 2012 e integrante de um grupo avaliado em £23 bilhões na Bolsa de Londres, afirmou que 'refuta veementemente' as acusações. A empresa alegou sigilo judicial como impedimento para acessar os detalhes completos das imputações, garantindo que responderá quando o momento chegar. Para os 22 milhões de brasileiros cujos rostos foram escaneados, verificados e armazenados sem consentimento, o caso representa uma exposição silenciosa — e talvez irreversível.
On a Wednesday morning, federal investigators arrived at Skill, a technology company, with a search warrant. What they were looking for would eventually implicate one of Brazil's largest data firms in what authorities say is the country's biggest biometric data theft—a scheme that touched the personal identification records of 22 million people.
The story began with a contract. Unico, a biometric identification company, had granted Skill exclusive rights to use its facial recognition software on behalf of Banco do Brasil, a longtime client. But somewhere along the way, that exclusivity was breached. According to Unico's investigation, Skill was quietly redirecting facial recognition queries from Serasa and ClearSale—two competing firms—through the same channel meant only for the bank. This allowed Serasa and ClearSale to strengthen their own identification systems using data they had no right to access.
Unico noticed something odd first: the volume of requests supposedly coming from Banco do Brasil kept climbing, but when they asked the bank directly, there was no corresponding increase in their actual business. Meanwhile, other financial institutions that had been using Unico's system began switching to competitors. When Unico's clients mentioned they were testing alternatives, some revealed something strange: Serasa's sales team had told them they were using Unico's technology. That claim didn't add up. Unico hired independent forensic investigators to dig deeper.
What they found was systematic. Facial images captured at one bank's branch—complete with that bank's logo visible in the background—were flowing through databases belonging to entirely different institutions. A photo taken at Bank A's counter for Bank A's identification purposes was traveling through Bank B's systems. The forensic team identified at least 1.4 million fraudulent transactions moving through these unauthorized channels. When investigators approached major banks like Inter, BTG, and Itaú, those institutions confirmed they had received irregular queries from Serasa and ClearSale—queries they had never authorized and knew nothing about.
But 1.4 million transactions, Unico argues, is only the beginning. The company estimates the breach touched data on 22 million Brazilians. Each successful facial recognition query strengthens the underlying artificial intelligence system; each unauthorized query essentially trained Serasa's system using stolen information. Removing that contamination from a database built over years is nearly impossible. Unico itself has invested hundreds of millions in building the infrastructure that made it Brazil's market leader in biometric identification, a position reflected in its $2.6 billion valuation in its most recent funding round.
Serasa, owned by the British firm Experian since 2012, began as a credit-scoring company created by banks. Over the years it expanded into data technology and other services. Experian itself is valued at £23 billion on the London Stock Exchange. When asked about the allegations, Serasa issued a statement saying it "vehemently refutes" the accusations and noted that the case is under judicial secrecy, meaning it has not yet had access to the full details of what it is being accused of. The company said it operates in strict compliance with applicable law and will respond fully when the moment comes.
The investigation has opened a window into how biometric data moves through Brazil's financial technology sector—and what happens when that movement goes unseen. For 22 million people whose faces were scanned, verified, and stored, the breach represents an exposure they never consented to and may never fully understand.
Notable Quotes
Serasa vehemently refutes the accusations and notes the case is under judicial secrecy, meaning it has not yet had access to full details of what it is being accused of— Serasa Experian statement
The Hearth Conversation Another angle on the story
Why would Serasa need to redirect data through Banco do Brasil's channel instead of just building its own system?
Because Unico spent nearly a decade and hundreds of millions building a system that works. Each successful facial match teaches the AI to be better. Serasa could have built from scratch, but it would take years and billions. This way, they borrowed Unico's maturity.
But wouldn't the banks notice their own data being used elsewhere?
That's the clever part—and the criminal part. The queries came through as if they were still for Banco do Brasil. The banks only discovered it when investigators asked them directly. By then, millions of faces had already been processed.
What does it mean that you can't remove the contamination from the database?
Imagine teaching someone to recognize faces by showing them millions of examples. Now imagine half those examples were stolen. You can't just delete them from their memory. The learning is already baked in. Serasa's system got better because of data it shouldn't have had access to, and that advantage doesn't disappear.
Is Experian, the parent company, likely to face consequences?
That's the open question. Experian is a £23 billion company listed in London. If Serasa is found liable, the parent company's reputation and potentially its valuation could suffer. But Serasa is claiming it didn't know what was happening, that this was Skill's doing.
And 22 million Brazilians—what happens to them?
They're the ones who can't undo this. Their biometric data was used to train a system without their knowledge. If that data was compromised further, they have no way to change their face.