Netshoes customer data breach
Brazilian e-commerce giant Netshoes exposed the personal data — names, CPF tax IDs, emails and purchase histories — of about 2 million customers, drawing one of the first major enforcement actions by Brazilian prosecutors over a data breach.
- Victim
- Netshoes
- Loss
- $135.0K
- records
- 2.0M
- users
- 2.0M
In January 2018, Brazil's largest online sporting-goods retailer, Netshoes, was revealed to have exposed the personal data of roughly 2 million customers — an early landmark case in Brazilian data-protection enforcement.
What happened
The breach surfaced when an attacker offered a sample of Netshoes customer records, which was brought to the attention of the Public Prosecutor's Office of the Federal District and Territories (MPDFT). On 26 January 2018, prosecutors publicly disclosed that around 2 million customers had their data exposed. The compromised records included names, CPF tax identifiers, email addresses, dates of birth and purchase histories. Notably, no credit-card numbers or account passwords were reported among the leaked data.
The records were later catalogued by the breach-notification service Have I Been Pwned.
Prosecutors step in
Brazil had no comprehensive data-protection statute in force at the time — the LGPD would only be enacted later in 2018. The MPDFT nonetheless invoked consumer-protection law, formally recommending that Netshoes contact every affected customer and threatening a public civil action. Initially Netshoes resisted individual notifications, but under pressure it began emailing affected users.
Settlement
Because Netshoes ultimately cooperated with the investigation, the matter was resolved through a Conduct Adjustment Term (Termo de Ajustamento de Conduta, TAC) signed on 5 February 2019. Under the agreement, Netshoes paid BRL 500,000 (roughly US$135,000) in collective moral-damages compensation and committed to security and notification improvements. Had it failed to comply, the agreement exposed the company to a class action valued at around BRL 10 million plus a further BRL 85 million property-damage claim.
Why it matters
The Netshoes case is frequently cited as a proof of concept for Brazilian data-breach enforcement before the LGPD. It showed that the MPDFT was willing to use existing consumer-protection tools to force a company to notify victims and pay damages — establishing the right to individual notification as an expectation in Brazil. When the LGPD and the ANPD later took effect, the Netshoes precedent helped frame how regulators and prosecutors would approach corporate accountability for breaches, making it a foundational moment in Brazil's privacy-enforcement history despite its comparatively modest fine.
Timeline
An attacker reportedly accesses Netshoes customer records and offers a sample of the data.
Brazil's Federal District Public Prosecutor's Office (MPDFT) discloses the leak of ~2 million customer records and demands Netshoes notify those affected.
Netshoes begins notifying affected customers by email at the prosecutors' insistence.
Netshoes signs a Conduct Adjustment Term (TAC) with the MPDFT, agreeing to pay BRL 500,000 in damages.
Sources
- dataguidance.comhttps://www.dataguidance.com/news/brazil-mpdft-announces-netshoes-fined-brl-500000-over
- haveibeenpwned.comhttps://haveibeenpwned.com/Breach/Netshoes
- tiinside.com.brhttps://tiinside.com.br/en/26/01/2018/mpdft-pede-providencias-netshoes-apos-vazamento-de-2-milhoes-de-dados-de-clientes/
- en.wikipedia.orghttps://en.wikipedia.org/wiki/Netshoes