iFood stated on Wednesday (03/06) that it identified a data breach affecting approximately 1.2 million users, equivalent to around 2% of its customer base. According to the company, the cyberattack occurred in December 2025 but was detected and contained shortly afterward. The disclosure came after a user on BreachForums, a dark web forum known for the sale and exchange of stolen information, claimed last week to possess data belonging to more than 43.84 million Brazilian iFood customers. The alleged dataset reportedly included CPF numbers, names, email addresses, phone numbers, and credit card-related information.
This Content Is Only For Subscribers
To unlock this content, subscribe to INTERLIRA Reports.
Authorities
The company argued that it did not notify the National Data Protection Authority (ANPD) because, in its assessment, the incident did not pose a significant risk or cause substantial harm to affected individuals under the criteria established by Brazilian regulations. The ANPD, however, informed Folha de S.Paulo that it had already formally contacted iFood and requested detailed information regarding the incident and its potential consequences.
Duty to Communicate
The ANPD stated that, under Brazil’s Incident Communication Regulation, data controllers are required to notify both the authority and affected individuals within three business days whenever a security incident may result in significant risk or damage to data subjects. Rafael Zanatta, co-director of the organization Data Privacy Brasil, argued that there is little doubt that the incident falls within the reporting requirements. According to him, a breach affecting more than one million individuals constitutes a large-scale event. He noted that the ANPD evaluates not only the number of affected users but also the geographic scope of the incident. Given iFood’s nationwide presence, Zanatta maintains that the company had an obligation to report the breach and could face regulatory consequences if it failed to do so.
Potential Damage
According to Zanatta, the most significant risks associated with the incident are not related to financial fraud involving passwords or payment cards, as there is currently no indication that such information was exposed. Instead, the primary concern involves social engineering attacks, phishing campaigns, and malware distribution through fraudulent links, emails, or text messages. He advised users to exercise caution when receiving messages through WhatsApp, email, or SMS, particularly when the sender cannot be independently verified. Experts warn that leaked personal information can be used by cybercriminals to create convincing scams designed to obtain additional sensitive data or gain unauthorized access to accounts and devices.
Analysis:
From a cybersecurity perspective, the most significant aspect of this case is not necessarily the number of affected users, but the debate surrounding disclosure obligations and risk assessment. A breach involving approximately 1.2 million individuals represents a large-scale security incident by any reasonable standard, particularly when it affects a platform with nationwide reach. The disagreement between iFood and the National Data Protection Authority illustrates a broader challenge faced by regulators worldwide: determining when an incident creates sufficient risk to require mandatory notification. Transparency has become a central component of modern data protection frameworks because timely communication allows users to take preventive measures before criminal actors can exploit compromised information.
Sources: A Folha de SP.
