Serasa Experian Breach

On 20 January 2021, Brazilian cybersecurity firm PSafe uncovered a dataset holding the personal records of more than 220 million people being traded on a dark-web forum, instantly marking the event as the largest data breach in Brazil’s history.​

The leak—roughly 1 TB of compressed files—contained names, dates of birth, CPF tax numbers, addresses, phone numbers, email addresses, salary ranges, credit scores and even facial images. A second collection exposed data on 40 million Brazilian companies, complete with CNPJ identifiers and estimated revenues, suggesting the trove was assembled from several compromised sources over many months.​

The threat actor posted two sample files and advertised the full package for US $40,000 in Bitcoin, offering buyers a searchable web panel. Screenshots showing live CPF look-ups spread quickly across social media and mainstream outlets, amplifying public outrage and drawing regulators’ attention.​

Because many leaked fields mirror those collected by the credit-reporting sector, suspicion soon focused on Serasa Experian, the São Paulo arm of global bureau Experian. In February 2021 the company confirmed it was investigating but reported “no evidence” that Serasa’s systems had been breached after a detailed forensic review by external specialists. No organisation has yet been proven liable for the compromise.

Regulatory bodies reacted swiftly. Brazil’s new National Data Protection Authority (ANPD) launched a formal inquiry within days, while the Senate’s Consumer Protection Commission held emergency hearings. The Ministry of Justice later opened an administrative case that could trigger multimillion-real fines under the Lei Geral de Proteção de Dados (LGPD). In parallel, the Federal Police began Operation Deepwater, which evolved into “Operation Data Breach” in 2024 and led to the arrest of a suspected data broker accused of selling fragments of the archive to international fraud rings.​

Security analysts warn the dataset is tailor-made for identity theft, phishing and synthetic-credit fraud. Unlike passwords, CPF numbers and birth-dates cannot be reset, leaving Brazilians exposed for decades. The incident has already accelerated multi-factor-authentication rollouts across financial institutions and pushed companies to strengthen encryption, tokenisation and zero-trust architectures to meet LGPD’s “security by design” mandate.​