Cyberattack hits Brazilian financial services provider C&M Software, triggers central bank response

Brazil’s central bank disclosed on Wednesday that technology services firm C&M Software, a key infrastructure provider for financial institutions without proprietary connectivity systems, was the target of a recent cyberattack. The breach, which reportedly occurred on Monday, prompted immediate regulatory intervention and raised concerns across the country’s digital banking sector.

In response to the incident, the central bank instructed C&M Software to suspend access for financial institutions to the infrastructure it manages. While the bank did not detail the nature or scale of the breach, it confirmed that it is closely monitoring the situation.

Kamal Zogheib, commercial director of C&M Software, said the company was directly targeted in the attack. According to Zogheib, hackers used fraudulent client credentials in an attempt to infiltrate its systems and services. He emphasized that the company’s critical infrastructure remained unaffected and fully operational. Zogheib also stated that C&M had enacted all required security protocols and is collaborating with both the central bank and São Paulo state police in the ongoing investigation.

One of the affected institutions, Banco Modal Partners (BMP), confirmed to Reuters that it, along with five other financial entities, experienced unauthorized access to their reserve accounts maintained at the central bank. These accounts are used exclusively for interbank settlements, and BMP assured that client accounts and internal balances were not compromised. The bank added that it has undertaken all necessary legal and operational steps to address the situation and holds sufficient collateral to cover the impacted funds without disrupting its business operations.

A government official familiar with the matter, speaking on condition of anonymity, said C&M Software services approximately two dozen smaller financial institutions. The official noted that the financial impact of the breach is not expected to run into the billions of reais. Another source added that no client losses have been reported.

The affected financial institutions are part of a growing segment of Brazil’s banking ecosystem—digital payment institutions that operate without their own direct connectivity to central banking systems. These entities have expanded rapidly in recent years, fueled by the success of the central bank’s Pix system, an instant payment platform launched in 2020 that has quickly become the most widely used payment method in the country.