The Banco Central do Brasil disclosed on 20 March 2026 that 28,203 PIX keys associated with customers of Pefisa Credito, Financiamento e Investimento had their registration data exposed due to specific system failures at the institution. The exposure period ran from 30 August 2025 to 27 February 2026, meaning the vulnerability persisted for nearly six months before the central bank issued its public notification.
The compromised data was limited to registration information tied to the PIX keys and did not include passwords, transaction records, account balances, or other data subject to banking secrecy. The Banco Central confirmed that no movement of funds was possible through the exposed information alone. Nevertheless, the incident represents the third PIX-related data exposure in 2026 and the 23rd since the system launched in November 2020.
PIX has grown at an extraordinary pace since its introduction, processing over 55 billion transactions in 2025 and serving as the leading payment method for Brazilian consumers and businesses. That scale brings a correspondingly large attack surface. Pefisa operates as a credit, financing, and investment institution, and its integration with the PIX ecosystem required maintaining a database of customer keys that became the point of vulnerability.
The Banco Central stated it will investigate the case and may apply sanctions including fines, suspension, or exclusion from the PIX system depending on the severity of the findings. The regulator has consistently maintained that all PIX participants must meet strict security standards, but the recurrence of data exposure events across different institutions suggests that enforcement alone has not eliminated the problem.
The Pefisa incident is smaller in scope than the more serious security events that affected PIX infrastructure in 2025. In June, a breach at financial infrastructure provider C&M Software resulted in fraudulent PIX transactions estimated at between 80 million and 800 million dollars. In August, an attempted heist of 710 million reais targeted the PIX environment operated by Sinqia, which supports 24 financial institutions. While the Pefisa case did not involve unauthorized transactions, it adds to a catalog of vulnerabilities distributed across the PIX participant ecosystem rather than concentrated in the central system itself.
The pattern highlights a structural challenge for any instant payment system that operates at scale with a large number of participating institutions. The PIX directory contains hundreds of millions of registered keys spread across banks, fintechs, and payment institutions of varying technical maturity. Each participant represents a potential point of failure, and the Banco Central's ability to enforce uniform security standards across this diverse set of institutions remains under test.