Dígitro Data Leak: What UK Businesses Must Learn
The Dígitro leak exposed 3.39 TB and three critical CVEs. Find out what happened and how to protect your company from supplier risk.
by Cleverson Gouvêa

The Dígitro data leak has become the biggest corporate cybersecurity warning of 2026 in Brazil: 3.39 terabytes of databases, source code and internal files from a strategic defence supplier were exposed publicly. If a manufacturer that serves over 150 public bodies can be compromised, so can your company. Here I explain what happened, what to learn and how to protect yourself.
TL;DR
- On 8 April 2026, approximately 3.39 TB attributed to Dígitro Tecnologia were published via the DDoSecrets collective.
- The company supplies the Guardião system (lawful interception) and NGC Explorer, used by security forces and public bodies.
- Three flaws — CVE-2025-4526, CVE-2025-4527 and CVE-2025-4528 — were catalogued and fixed in the latest versions of NGC Explorer.
- CTIR Gov issued Recommendations 05, 09 and 10/2026: update to NGC Explorer 3.48.22+, segregate the network and block external access to administrative interfaces.
- The lesson applies to any business: attacks via suppliers already account for around 30% of global breaches.
What happened in the Dígitro leak
On 8 April 2026, a dataset attributed to Dígitro Tecnologia was published by anonymous sources via the DDoSecrets collective. The material totals 3.39 terabytes and includes databases, source code repositories and internal company files.
The problem is not just the volume. It is the content. Exposing source code of interception systems means handing over the map of the internal architecture. With it, an attacker can study how the software works, look for undocumented access paths and develop tailor-made exploits. It is the difference between breaking down a door in the dark and receiving the building's floor plan with the locks marked.
Dígitro has publicly responded to the government's recommendations and stated that the catalogued vulnerabilities have already been fixed in the current versions of its products. Nevertheless, the episode has left a risk surface open for those running outdated versions.
Who is Dígitro and why the case is serious
Dígitro is a company based in Santa Catarina with nearly five decades of operation, recognised by the Ministry of Defence as a Strategic Defence Company (EED). It develops the Guardião system, a platform used for lawful interception of voice and data under judicial authorisation, as well as transcription and communications management tools.
According to reports of the incident, the company's products serve more than 150 government institutions and public security bodies in the country. When a supplier with this level of penetration is compromised, the damage is not contained within it — it spreads to the entire chain that depends on its systems.
This is exactly the point that matters to any business, not just security agencies. The Dígitro leak is a case study in concentrated risk in a critical supplier. You can have the best security hygiene in the world internally and still be exposed because a partner in your chain failed.
The technical vulnerabilities behind the case
Alongside the leak, three vulnerabilities were catalogued in Dígitro's NGC Explorer component. They help to understand how unauthorised access can occur when the software is not updated.
| CVE | Component | What the flaw allows |
|---|---|---|
| CVE-2025-4526 | NGC Explorer | Exposure of passwords due to lack of masking on configuration pages |
| CVE-2025-4527 | NGC Explorer | Client-side flaw allowing remote access to sensitive information |
| CVE-2025-4528 | NGC Explorer | Insufficient session expiry, allowing bypass of the security mechanism |
These are three classic application security issues: sensitive data travelling or appearing without protection, fragile access control on the client side, and a session that does not expire when it should. None of them is exotic — and that is precisely why they serve as a lesson. The same categories of flaw appear in administrative panels, ERPs and internal systems of companies of all sizes.
The manufacturer has stated that all three CVEs have been fixed in the latest versions of NGC Explorer. However, the existence of a fix does not protect those who do not apply the patch. It is the gap between "the flaw has been fixed" and "the fix is installed" that attackers exploit.
What CTIR Gov recommended
CTIR Gov — the federal government's centre for cyber incident response — published a series of recommendations (05/2026, 09/2026 and 10/2026) based on information from Dígitro itself. The emergency measures are a roadmap that serves for virtually any critical system:
- Update immediately NGC Explorer to version 3.48.22 or higher.
- Restrict access and apply network segregation, isolating the equipment.
- Block all external and remote access to the administrative interfaces of the equipment.
- Audit credentials and API keys, rotating corporate secrets.
- Continuously monitor the attack surface for exposures.
Note that only the first recommendation is specific to Dígitro. The other four are universal defence principles. If your company applied this same checklist to every critical system, the attack surface would drop dramatically.
Why this is a supply chain problem
The most important angle of the Dígitro leak for the corporate audience is not Guardião — it is the supply chain. Attacks that come through third parties (a software supplier, a code dependency, a contractor with access to your network) already account for around 30% of global breaches, according to industry analyses of the case itself.
The pattern repeats. We have seen this before in infected NPM packages in the Shai-Hulud campaign, which contaminated the open-source supply chain, and in the episode where GitHub was breached via a malicious VS Code extension that leaked thousands of repositories. The vector changes — package, extension, defence supplier — but the logic is always the same: compromise a trusted link to reach all those who depend on it.
For most companies, the critical supplier is not an interception company. It is the ERP, the cloud payroll, the payment gateway, the customer service tool. Every integration with access to your data is a link that needs to be assessed.
How to assess supplier risk
- Map the access: what data does this supplier read, write or store? The more sensitive, the stricter the criteria.
- Demand transparency: do they publish security advisories, CVEs and patch timelines? Silence is a red flag.
- Require segregation: is the supplier's access isolated from the rest of your network, or do they enter through a wide door?
- Document the exit: if you need to terminate this partner tomorrow, can you revoke everything quickly?
How your company should protect itself
The Dígitro leak is too large for an ordinary company to replicate at scale, but the defences are the same regardless of size. At Agathas Web, when we take over a client's infrastructure, this is the core of the work: reducing the exposed surface before it becomes headline news.
- Patch on time is the cheapest defence. Most incidents exploit flaws that have already been fixed. Having a process to update servers, applications and dependencies is worth more than any expensive tool.
- Never expose administrative panels to the open internet. Management interfaces should live behind a VPN, restricted IP or segregated network — exactly what CTIR Gov recommended.
- Rotate secrets and use credential management. Passwords and API keys in plain text, without expiry, are the favourite entry point. Mask, rotate, and never leave a secret in a repository.
- Segregate the network. If a system is compromised, segregation prevents the attacker from moving laterally to the rest of the environment.
- Monitor. You cannot respond to what you do not see. Centralised logging and exposure alerts shorten the distance between the breach and the reaction.
These principles do not depend on the sector. They apply to an online shop, a Moodle-based distance learning platform or a customer service system. Security is not a product you buy — it is a discipline you maintain.
Common mistakes that amplify the damage
Some habits turn a small incident into a catastrophe. Reusing the same administrative password across multiple systems means that one leaked credential opens all doors at once. Keeping backups on the same server as the application means losing both the data and the backup in the same attack. And blindly trusting "the supplier handles it" without ever reviewing access is like handing over the house keys and forgetting who has the copy. Avoiding these three mistakes already puts you ahead of most.
Data sovereignty: where your information lives matters
The Dígitro case has reignited a growing discussion: sovereignty over the traffic and storage of national data. The company was cited precisely as an example of critical infrastructure kept within Brazilian territory. When sensitive data lives abroad, a layer of legal control is added — you become subject to the laws and court orders of another jurisdiction, often without knowing it.
For companies, the practical question is simple: do you know where your customer data is hosted? Physically, in which country are the servers of your ERP, your email, your customer service system? The answer influences everything from legal response time in an incident to compliance with the UK GDPR.
There is no single correct choice — global providers have excellent security. But the decision needs to be conscious, not an accident of contract. Keeping sensitive workloads in auditable infrastructure, with clear access control and known location, is part of the same hygiene that prevents you from becoming the next headline.
UK GDPR and shared responsibility
A point that many companies ignore: hiring a supplier does not transfer responsibility for your customers' data. Under the UK GDPR, the data controller remains responsible even when the breach occurs in a partner's infrastructure. "The supplier failed" is not a sufficient legal defence.
In practice, this means three minimum obligations. First, choose processors that demonstrate security maturity — and document that due diligence. Second, have contracts that define responsibilities, notification deadlines and obligations in the event of an incident. Third, maintain a response plan that includes notifying the ICO and the data subjects when there is a relevant risk.
The Dígitro case shows that even suppliers of the highest technical calibre are targets. Assuming that "big company means secure company" is the assumption that costs the most in information security.
Conclusion: the next link could be you
The Dígitro leak is not a distant story about police interception. It is a mirror. It shows that exposed surface, delayed patches and weak credentials bring down everything from a defence supplier to a small digital operation. The difference between making the news and continuing to operate lies in the basics done well: update, isolate, rotate and monitor.
If you are not sure how exposed your infrastructure is — how many open panels, how many secrets without rotation, how many suppliers with broad access — this is the time to audit. At Agathas Web, we help companies map and reduce that surface before it is exploited. Start with the checklist in this post and treat each item as a door that needs to be locked.
Related posts

Premiere Technology: The 2026 World Cup Streaming Revolution
Why 'premiere technology' trended on Google Trends ahead of the 2026 World Cup — and what 4K streaming and low latency can teach your business.

Automatic Pix: What It Means for Recurring Billing in the UK in 2026
Automatic Pix arrived in 2026 and changes recurring billing for UK SMEs: debit without card, fewer failures, and cleaner reconciliation. See what to do.

AI Regulation in the US: A UK Business Guide to the 2026 Patchwork
Federal voluntary executive order vs. mandatory state laws: what it means for UK companies selling into the US in 2026.