By Brazil Stock Guide – Brazilian food delivery platform iFood said on Wednesday that data from about 1.2 million users was exposed in a security incident, but said passwords, payment methods, banking data and financial transactions were not compromised.
The company said the incident occurred in December 2025 and was limited to roughly 2% of its customer base. The exposed information included users’ names and CPF numbers, Brazil’s taxpayer identification document.
iFood said the breach was isolated and was quickly contained by its security protocols. The company added that there was no evidence of unauthorized access to bank details or data linked to transactions made on the platform.
The case raises questions over how Brazilian companies assess the relevance of cybersecurity incidents under the country’s General Data Protection Law, known as LGPD. iFood said it did not formally notify users because it concluded the incident did not create relevant risk or damage for data holders under criteria set by Brazil’s data protection authority, the ANPD.
“The incident was handled and assessed in strict compliance with the law, which waives reporting and communication when the event does not create relevant risk or damage to data holders, according to regulatory criteria defined by the ANPD,” the company said in a statement.
Although the company stressed that sensitive financial information was not affected, the exposure of CPF numbers is significant in Brazil, where the document is widely used for identity verification, consumer registrations and financial services.
iFood said it continues to adopt protection measures and reminded users that all official communications are made exclusively through the company’s own channels.
Leave a Reply