Brazil’s Central Bank has confirmed that C&M Software, which provides technology services for financial firms without their own connectivity networks, had been targeted in a cyberattack. The regulator ordered C&M to suspend access to its infrastructure for affected institutions, Reuters reported.

C&M Software’s commercial director, Kamal Zogheib, said the firm was the direct target of an attack involving fraudulent use of client credentials to try to breach its systems.

He said critical systems remained functional and that security measures had been enacted. The company is assisting the central bank and São Paulo state police with the investigation.

Financial firm BMP told Reuters that it and five other institutions faced unauthorised access to their Central Bank reserve accounts used for interbank settlements.

“No client accounts or internal balances were impacted,” BMP said, adding it has enough collateral to cover the affected sums.

An official with knowledge of the case said C&M works with about 20 smaller institutions and that the amounts involved do not run into the billions of reais. Another source said no client losses were reported.

The Central Bank has described such firms as providers for digital payment institutions, which have expanded rapidly alongside new services like the Pix instant payment system launched in 2020.