Critical vulnerability in n8n exposes 100,000 servers to full takeover
A maximum severity security flaw was discovered in the n8n automation platform, leaving approximately 100,000 servers vulnerable to complete takeover by unauthenticated attackers. The vulnerability, identified as CVE-2026-21858 and dubbed "Ni8mare" by researchers, received a CVSS score of 10.0 and allows remote code execution without credentials.
Read moreNew vulnerability classification exposes security risks in autonomous AI agents
OWASP (Open Worldwide Application Security Project) released in December 2025 the Top 10 for Agentic Applications 2026, a document identifying the 10 highest-impact threats to artificial intelligence systems that operate autonomously to plan, decide, and act across multiple stages and systems.
Read moreCritical MongoDB flaw actively exploited, affecting over 87,000 instances worldwide
A recently disclosed security vulnerability in MongoDB is being actively exploited, with over 87,000 potentially susceptible instances identified worldwide. The flaw, identified as CVE-2025-14847 (CVSS score of 8.7) and dubbed MongoBleed, allows an unauthenticated attacker to remotely leak sensitive data from MongoDB server memory.
Read moreANPD's new regulatory agenda for 2026-2027
Brazil's National Data Protection Authority (ANPD) published on December 24, 2025 the Priority Topics Map for enforcement in the 2026-2027 biennium and the updated Regulatory Agenda 2025-2026. The documents establish enforcement and regulatory actions for obligations under LGPD (Brazil's data protection law) and the Children's Digital Statute.
Read moreNew attack technique uses Microsoft Copilot to exfiltrate data in one click
Security researchers disclosed details of a new attack method called Reprompt that allows malicious actors to exfiltrate sensitive data from AI chatbots like Microsoft Copilot with just one click on a legitimate link, bypassing corporate security controls without requiring plugins or additional user interaction with the assistant.
Read moreNew cybersecurity controls from Brazil's Central Bank: Resolutions CMN 5,274/2025 and BCB 538/2025
Brazil's Central Bank strengthens technical cybersecurity controls. The National Monetary Council and the Central Bank of Brazil published on December 18, 2024, Resolutions CMN No. 5,274/2025 and BCB No. 538/2025, which substantially alter the cybersecurity regulatory framework applicable to supervised institutions.
Read moreCritical LangChain vulnerability exposes millions of AI applications
A critical security flaw was discovered in LangChain, one of the most widely used AI frameworks in the world, exposing millions of applications to the risk of credential theft and malicious code injection. The vulnerability allows attackers to exploit LangChain's core serialization logic to extract environment variables and execute unauthorized actions.
Read moreNew "HashJack" attack exploits vulnerability in browsers and AI assistants
Security researchers at Cato Networks identified a new indirect prompt injection technique called HashJack, which can force popular AI browsers and assistants to deliver phishing links, medication dosage misinformation or investment advice, send sensitive data to attackers, or induce users to perform risky actions.
Read moreThe first AI-orchestrated cyberattack: a shift in the security landscape
In September 2025, Anthropic, the company behind Claude, identified what may be considered the first automated attack carried out with the aid of AI, hitting 30 companies and marking a significant shift in how cybercriminals operate.
Read moreFrom a Louvre theft to GDPR: what digital security teaches us today
The information security landscape is a dynamic battlefield where tactics change as fast as technology. In a single day, the news can range from a classic art theft to a debate about the future of artificial intelligence. How can we connect seemingly disparate events, such as an incident at the Louvre Museum, new scams on Meta, and the simplification of complex regulations like the GDPR?
Read moreANPD: 5-year review points to strengthening and new regulatory powers
Brazil's National Data Protection Authority (ANPD) celebrated its fifth anniversary at a ceremony that brought together authorities and experts to present a review of its activities and announce a new cycle of priorities. The event highlighted the consolidation of the agency as a strategic independent authority and marked the beginning of an expansion phase.
Read moreLGPD enforcement: ANPD launches new interactive tool
Brazil's National Data Protection Authority (ANPD) announced the launch of the Enforcement Dashboard, a new interactive tool designed to facilitate public access to information about its enforcement actions...
Read moreBrazil's Central Bank expands SCR scope and includes credit assignments with LGPD implications
Brazil's Central Bank published Resolution BCB No. 516, of October 29, 2025, amending Circular No. 3,870/2017, which regulates the provision of information to the Credit Information System (SCR). The main change brought by the regulation is the...
Read moreCriminals use WhatsApp to spread advanced banking trojans
Security researchers have identified connections between two banking malware strains targeting users and financial institutions in Brazil: Coyote and the recently discovered Maverick. Both malicious programs are written in .NET and share...
Read moreArtificial intelligence and creativity: can AI surpass the human mind?
Artificial intelligence (AI) is no longer a science fiction concept; it has become a driving force in our daily lives, optimizing everything from complex industrial processes to creative tasks. While its application in analytical fields is widely...
Read morePassword leaks, banking insecurity, and the AI fiasco - Ep. 405 of Segurança Legal Podcast
It is no secret that technology advances at a dizzying pace, bringing innovations that transform people's daily lives and the business environment. AI, in particular, has gone from being a promise to becoming an omnipresent tool...
Read moreSix in ten companies were targeted by AI-powered attacks in the past year
A survey of cybersecurity leaders conducted by Gartner revealed that 62% of companies reported attacks against their employees using artificial intelligence in the past year. The attacks involved both prompt injections and...
Read moreSecurity breach compromises court records in labor courts across Brazil
Brazil's Superior Council of Labor Justice (CSJT) identified and blocked an unusual and simultaneous access to multiple judicial proceedings in its electronic system. The irregular access was resolved immediately after detection. The body clarified that...
Read moreNew malware spreading via WhatsApp targets Brazilian users
Brazilian users have been targeted by a new self-propagating malware called SORVEPOTEL, which spreads through WhatsApp. The campaign, dubbed Water Saci by Trend Micro, exploits users' trust in the messaging platform to...
Read moreCourt applies LGPD and holds bank liable for social engineering fraud using leaked data
The Court of Justice of Alagoas upheld a ruling that ordered Banco Bradesco to pay R$ 2,500.00 in moral damages and double restitution of amounts improperly deducted after a banking fraud that victimized a disability retiree...
Read moreCredit protection company ordered to pay damages for selling personal data
The São Paulo Court of Justice ruled that the company Boa Vista Serviços must pay R$ 5,000.00 in moral damages after selling a consumer's personal data without prior authorization. The 28th Chamber of Private Law partially reversed the lower court's decision, recognizing a violation of the consumer's data protection rights.
Read moreBrazil's Digital ECA Law is signed into effect
President Luiz Inácio Lula da Silva signed Law 15.211/25, which protects children and adolescents in the digital environment. The text was published in a special edition of the Official Gazette on Wednesday (17). BrownPipe Consultoria, through its Segurança Legal podcast, published episode 400 addressing some of the new law's provisions.
Read moreUniversity fined for retaining former employee's emails for two years
Italy's Data Protection Authority (Garante per la protezione dei dati personali) issued a sanctioning decision against the University of Cassino and Southern Lazio on July 10, 2025, imposing a total fine of EUR 8,000 for multiple violations of the General Data Protection Regulation (GDPR).
Read moreEuropean Commission approves draft decision recognizing LGPD as equivalent to EU law
The European Commission released on September 5, 2025, the draft of its future adequacy decision aimed at recognizing that Brazil ensures a level of personal data protection equivalent to that provided under European legislation for the purposes of international data transfers.
Read moreSTJ rules credit bureaus cannot share consumer data with third parties without authorization
Brazil's Superior Court of Justice (STJ) ruled by majority that companies managing credit protection databases cannot make consumers' registration and payment compliance information available to third-party inquirers without the data subject's prior authorization.
Read moreRio de Janeiro's Procon fines 32 pharmacies R$ 1 million for irregular collection of personal data
The Municipal Secretariat for Consumer Protection and Defense of Rio de Janeiro, through Procon Carioca (Consumer Protection Agency), fined 32 pharmaceutical establishments during the first week of the second phase of the 'CPF Protegido' operation. The total penalties applied reached R$ 1 million.
Read moreBrazil's Central Bank requires financial institutions to reject transactions to fraud-suspected accounts
Brazil's Central Bank approved a new regulation requiring all authorized account-holding institutions to reject payment transactions directed to accounts with a well-founded suspicion of involvement in fraud. The measure represents a significant tightening of security controls in the national financial system.
Read moreANPD becomes a regulatory agency and gains authority to protect children online
The President of Brazil signed Bill No. 2,628/2022 on Tuesday (17), establishing the Digital Child and Adolescent Statute (Digital ECA), creating Law No. 15,211 of September 17, 2025. This legislation represents a fundamental milestone for the protection of children and adolescents in the online environment.
Read moreSummary of Brazil's Central Bank press conference on new information security measures
The president of Brazil's Central Bank, Gabriel Galípolo, held a press conference (watch the video) on September 5, 2025, accompanied by directors and the executive secretary, to announce emergency information security measures for the financial system...
Read moreBrazil's financial system gets new information security standards
As anticipated by BrownPipe Consultoria in ep. 396 of the Segurança Legal podcast, Brazil's Central Bank decided to strengthen financial system security measures following recent attacks that diverted millions. The new rules take effect on September 5, 2025, and aim to establish stricter controls over financial operations and IT service providers.
Read moreFinancial institution held liable for security flaws in PIX transactions
The São Paulo State Court of Appeals (TJSP) upheld the ruling that condemned the financial institution Mercado Pago for failing to provide adequate security in an unauthorized PIX transaction worth R$ 32,000.00. The court recognized that the fraudulent transfer occurred without strong authentication, token, or biometrics, constituting a breach of the security obligations set forth in the Consumer Protection Code and LGPD (Brazil's General Data Protection Law). The institution was held strictly liable and ordered to reimburse the debited amount.
Read moreGeneric personal data sharing clause voided for violating LGPD
The Minas Gerais State Court of Appeals (TJMG) rejected an appeal by a financial institution and upheld the decision that voided a contractual clause regarding the sharing of personal data with affiliated companies, subsidiaries, parent companies, or bank partners. The ruling concluded that the clause, included in an adhesion contract without free, informed, and explicit consent, is abusive and violates LGPD (Brazil's General Data Protection Law).
Read moreTJMG upholds compensation for unauthorized deductions and data protection violation
The Minas Gerais State Court of Appeals (TJMG) upheld the conviction of a financial institution to pay compensation for moral damages and for violating LGPD (Brazil's General Data Protection Law), in addition to the double reimbursement of amounts improperly deducted from a consumer's pension benefit. The decision recognized that there was no proof of a valid contract, characterizing a failure in service provision and holding the bank strictly liable.
Read moreEmployee criticism on WhatsApp does not justify dismissal for just cause
The Regional Labor Court of the 22nd Region ruled by majority to overturn a dismissal for just cause and ordered payment of the severance benefits due in cases of dismissal without just cause. The case involved a worker who served as a driver's assistant and was dismissed on allegations of dishonesty, misconduct, and insubordination, based on messages exchanged in WhatsApp groups.
Read moreUnauthorized access to medical records leads to dismissal for just cause
The Regional Labor Court of the 2nd Region (TRT-SP) upheld the dismissal for just cause of a nurse who accessed, without authorization, the medical records of her grandmother who was hospitalized at the facility where she worked. The decision overturned the lower court ruling that had considered the punishment disproportionate and converted the termination into a dismissal without just cause.
Read moreBanks not liable for scams involving biometric data voluntarily provided by the customer
The Minas Gerais State Court of Appeals (TJMG) upheld a ruling that denied a request for moral and material damages from an account holder who was a victim of bank fraud, also highlighting aspects related to LGPD (Brazil's General Data Protection Law). The consumer voluntarily provided their facial biometrics and other personal data to a third party, who then used this information to take out loans and make bank transfers in the victim's name.
Read moreBank exempt from liability after account holder receives fraudster at home
The Rio de Janeiro State Court of Appeals overturned a lower court ruling and dismissed the bank's liability in a fraud case involving a payroll-deductible loan taken out without the account holder's consent. The plaintiff claimed to have been the victim of a scam after receiving phone calls and allowing third parties to visit his home to photograph documents and collect signatures, believing it was a legitimate promotion.
Read moreTJSP upholds lawfulness of using personal data for credit analysis without consent
The São Paulo State Court of Appeals (TJSP) upheld a ruling denying a claim for moral damages and injunctive relief in a lawsuit filed by a consumer against a credit analysis company. The plaintiff alleged that his personal data had been shared without consent, in supposed violation of Brazil's General Data Protection Law (LGPD) and the Consumer Protection Code.
Read moreService provider must reactivate account after fraud-related invasion
The Minas Gerais State Court of Appeals (TJMG) upheld a decision ordering a service provider to restore a user's access to her email account after proof of fraudulent invasion. The dispute arose after the account holder fell victim to phone line cloning, which allowed unauthorized third parties to access multiple platforms, including the email linked to the defendant, causing professional harm to the user, who works as a digital influencer.
Read moreReport: CNPD subsidies involving the financial market
The recent publication of documents by the working groups of the National Data Protection Council (CNPD) containing subsidies for developing Brazil's National Personal Data Protection and Privacy Policy provides a comprehensive assessment of considerations and recommendations involving the financial market.
Read moreReport – CNPD Subsidies on Information Security
The recent publication of documents by the working groups of the National Data Protection Council (CNPD) (Brazil's National Data Protection Council) — containing subsidies for the development of the National Personal Data Protection and Privacy Policy — enables a comprehensive assessment of considerations and recommendations related to information security.
Read moreANPD and CNPD Advance Toward National Data Protection Guidelines
The National Data Protection Authority (ANPD) (Brazil's National Data Protection Authority) received on June 17, 2025 a document prepared by the National Data Protection Council (CNPD) (Brazil's National Data Protection Council) containing subsidies for the development of the National Personal Data Protection and Privacy Policy guidelines.
Read moreBillions of Credentials Exposed: Recommendations for Businesses
The news of a new credential leak recently reported by the CyberNews portal is an important opportunity for companies to reassess their information security policies and practices. It is one of the largest breaches ever reported, involving credentials from multiple platforms such as GitHub, Zoom, Apple, Google, Facebook, and Telegram.
Read moreCourt Applies LGPD to Hold Company Liable for SCR Registration Without Notice
The Court of Justice of Minas Gerais denied appeals in a case involving compensation for moral damages arising from enrollment in the Central Bank's Credit Information System (SCR) without prior notice. The consumer's name was registered by DM Financeira in the restrictive database without proper notification, in violation of the Consumer Protection Code and Brazil's General Data Protection Law (LGPD).
Read moreANPD Opens Public Consultation on Biometric Data Regulation
The National Data Protection Authority (ANPD) (Brazil's National Data Protection Authority) has launched a public input process on the processing of biometric data, seeking contributions from society to help regulate this category of sensitive data. The initiative follows enforcement proceedings opened against Tools for Humanity, the company behind the Worldcoin project, which attempted to collect Brazilian users' iris data in exchange for cryptocurrency.
Read moreMicrosoft Patches 67 Vulnerabilities Including a WebDAV Zero-Day
Microsoft has released fixes for 67 security flaws, including a zero-day vulnerability in Web Distributed Authoring and Versioning (WebDAV) that is being actively exploited by cybercriminals. Of the 67 vulnerabilities patched, 11 are rated Critical and 56 are rated Important, covering 26 remote code execution flaws, 17 information disclosure issues, and 14 privilege escalation bugs.
Read moreCybercriminals Trick 20 Companies with Fake IT Support
Google's Threat Intelligence Group has identified a cybercriminal group called UNC6040 that successfully tricked employees at approximately 20 organizations into installing a modified version of Salesforce's Data Loader, enabling large-scale data extraction. The group specializes in voice phishing campaigns targeting Salesforce instances for data theft and extortion.
Read moreANPD Opens Public Consultation on Biometric Data Regulation
The National Data Protection Authority (ANPD) (Brazil's National Data Protection Authority) launched on Monday (02) a public input process on the topic 'Processing of Sensitive Personal Data – Biometric Data,' as established in its Regulatory Agenda for 2025–2026. The initiative seeks contributions from society to guide the agency's future regulatory action on this sensitive data category.
Read moreLGPD Does Not Bar Disclosure of Condo Delinquency Lists
The Court of Justice of Paraná overturned a first-instance ruling that denied condo residents access to the list of delinquent unit owners, expressly dismissing concerns related to LGPD (Brazil's General Data Protection Law). The 8th Civil Panel held that the building manager must produce all requested documents, including the delinquency list, in an anticipatory evidence action filed by owners at Condomínio Torre Blanca.
Read morePoint-in-Time vs. Continuous Pentest: Which Strategy Should Your Company Choose?
In a landscape where cyber threats evolve constantly, companies face a critical decision: how to structure their penetration tests (pentest) to maximize protection of their digital assets. BrownPipe Consultoria, a cybersecurity firm with over 13 years of experience, presents an analysis of two approaches that are gaining ground in the market.
Read moreSchool sanctioned for data protection violations in video surveillance
The Luxembourg National Commission for Data Protection (CNPD) ruled on multiple violations of the General Data Protection Regulation (GDPR) committed by a public school in its video surveillance system. The investigation was launched in October 2022 and included on-site visits to the institution in December 2022 and July 2023.
Read moreGOV.BR electronic signature sees 92% growth in 2025
The GOV.BR Advanced Electronic Signature recorded significant growth of 92% in 2025, being used more than 75 million times between January and May of this year. Data released by the Ministry of Management and Innovation in Public Services (MGI) show that during the same period last year, 39 million signatures were made, highlighting the growing adoption of this digital solution by Brazilians.
Read moreBrazil's Central Bank creates system to prevent fraudulent account openings
Brazil's Central Bank (BACEN) published the regulations governing a new fraud prevention service that will be available to citizens starting in December 2025. The goal is to prevent fraudulent account openings using false identities, or the improper addition of new account holders to joint accounts and new representatives to corporate accounts.
Read moreAlleged security flaw at Unimed allows access to sensitive patient data
The Cybernews research team discovered an unprotected Apache Kafka instance belonging to Unimed, the world's largest healthcare cooperative, which resulted in the exposure of sensitive data from millions of Brazilian patients. Unimed, which has approximately 15 million clients, maintained an exposed instance containing customer conversations with the company's chatbot 'Sara,' as well as communications with physicians.
Read moreFraudsters use confidential banking data to scam retired woman in Rio de Janeiro
The Rio de Janeiro State Court of Appeals denied the appeal filed by Banco Mercantil do Brasil against a ruling that recognized fraud in the contracting of payroll-deductible loans. The case involved a 67-year-old elderly consumer who fell victim to a scam carried out by a third party posing as an employee of the financial institution.
Read moreCourt voids generic personal data sharing clause in loan contract
The Minas Gerais State Court of Appeals denied the appeal filed by Banco Pan S.A. and upheld the ruling that declared null a contractual clause allowing the compulsory sharing of personal data with third parties. The decision was issued by the 13th Civil Chamber in a contract review action brought by a client who challenged the validity of clause 20.6 of her personal loan agreement.
Read moreEspírito Santo State Court of Appeals upholds bank conviction for fake payment slip scam
The Espírito Santo State Court of Appeals (TJES), by majority decision, denied an appeal filed by Banco Votorantim S/A, upholding the first-instance ruling that ordered the bank to compensate a client who was a victim of the "fake payment slip" scam. The decision recognized the financial institution's liability for the security failure that allowed the consumer's data to be leaked.
Read moreBrazilian Chamber of Deputies committee advances artificial intelligence regulation
Brazil's Chamber of Deputies established on Tuesday (May 20) the Special Committee tasked with debating Bill 2338/23, already approved by the Senate, which regulates the use of artificial intelligence (AI) in Brazil. The initiative, authored by Senator Rodrigo Pacheco (PSD-MG), is the result of a jurists' committee's work and is now advancing as a priority in the Chamber, subject to a ten-plenary-session deadline for issuing its opinion.
Read moreANPD presents results of public consultation on AI and automated decision-making
Brazil's National Data Protection Authority (ANPD) General Coordination for Regulation hosted a webinar on the morning of May 15 to present the results of the Public Input Process on Artificial Intelligence and the Review of Automated Decisions, held between November 6, 2024 and January 24, 2025. The contributions were consolidated into a Technical Note, with the goal of ensuring transparency in the process and providing input for future regulations.
Read moreMicrosoft patches 78 vulnerabilities, including in Azure DevOps Server
Microsoft released security updates on Tuesday (May 14) addressing 78 vulnerabilities across its software lineup, with 11 rated critical, 66 rated important, and one rated low severity. Among them, five zero-day flaws stand out, as they were being actively exploited in the wild.
Read moreContinuous Pentests Are Essential for Security Beyond Compliance
Conducting annual or periodic penetration tests solely to meet regulatory requirements such as PCI DSS, HIPAA, or ISO 27001 does not guarantee effective protection against vulnerabilities introduced after the last assessment. Recent reports show a significant increase in exploit activity, revealing that point-in-time tests leave gaps for attacks since they cannot keep pace with the speed at which new vulnerabilities emerge.
Read moreTop Online Scams Targeting Bank Customers in 2024
According to a Febraban survey, WhatsApp scams, fake sales, and fake bank call center/employee scams were the most reported by customers in 2024. Criminals use tactics such as WhatsApp account cloning via security code theft, fake pages and profiles to simulate online sales, and impersonation of bank employees to steal victims' personal and financial data.
Read morePolice Operation Targets Group That Bypassed Facial Biometrics on GOV.BR
The Federal Police launched (on May 13) Operation "Face Off", aiming to dismantle a criminal organization specialized in fraudulently accessing digital accounts linked to the GOV.BR platform. The criminals used sophisticated facial manipulation techniques to bypass biometric authentication systems and gain unauthorized access to victims' digital accounts.
Read moreCourt Rejects Compensation Claim for Medical Record Disclosure in Labor Defense
The Court of Justice of the State of Ceará (TJCE) upheld a decision rejecting a claim for moral damages in a case involving the use of medical records in labor proceedings. The plaintiff alleged violations of privacy, the Medical Ethics Code, and Brazil's General Data Protection Law (LGPD), due to the hospital's presentation of her medical records as evidence in its legal defense, without prior consent.
Read moreBanking Data Breach and Sense of Insecurity Entitle Victim to Compensation, Rules STJ
In a landmark decision, Brazil's Superior Court of Justice (STJ) recognized that the leaking of personal banking data that enables fraud against a consumer, in and of itself, gives rise to a right to compensation for presumed moral damages. In the case at hand, a consumer fell victim to a fake payment slip (boleto) scam after criminals obtained precise details about her financing contract — including the amount, number of installments, and vehicle license plate — data that should have been kept confidential by the financial institution.
Read morePolice Dismantle Interstate Gang That Committed Document Fraud via GOV.BR
The Civil Police of Rio Grande do Sul, through the Division for the Suppression of Electronic Property Crimes (DRCPE/DERCC), launched Operation Krypteia on the morning of Wednesday (05/07/25), aiming to dismantle a criminal organization specialized in fraud, document forgery, unauthorized access to computer devices, vehicle tampering, and money laundering. The group used data from compromised GOV.BR portal accounts to carry out the scams.
Read moreFrom the Myth of Tool Coverage to the Reality of Control Effectiveness
An alarming 61% of security leaders reported suffering a data breach in the last 12 months due to failures or misconfigurations in security controls. This situation persists even as companies use an average of 43 different cybersecurity tools, indicating that the problem lies in configuration, not in the amount invested in solutions.
Read moreTJRJ Convicts Bank and Strengthens LGPD Enforcement in Fraud Cases
The Court of Justice of Rio de Janeiro (TJRJ), in an appellate ruling, held a financial institution liable for losses suffered by an elderly client who was a victim of the "fake courier" (motoboy) scam, with particular emphasis on the institution's failure in its duty to ensure the security and protection of personal data.
Read moreNearly One-Third of Employees Use AI Secretly at Work
An Ivanti report titled "2025 Technology at Work Report: Reshaping Flexible Work" revealed that approximately one-third (32%) of employees who use generative AI (GenAI) tools in the workplace do so secretly, without their employers' knowledge. The survey, which gathered input from more than 6,000 office workers and 1,200 IT and cybersecurity professionals, explores the challenges and opportunities in the modern workforce, highlighting a growing concern among employees about using technology to boost productivity.
Read moreBrazil's Central Bank Reports Security Incident Involving Cashway Pix Keys
The Central Bank of Brazil (BCB) publicly disclosed the occurrence of a security incident that resulted in the exposure of personal data linked to Pix keys. The isolated failure occurred in the systems of Cashway Tecnologia da Informação S.A., the institution responsible for the custody and safeguarding of the affected data.
Read moreSecurity Incident at XP
XP reported becoming aware, on March 22, 2025, of unauthorized access to a database hosted by one of its external vendors. The company stated it immediately blocked the access upon detecting the incident...
Read moreANPD Enforcement Action Ensures Data Protection Officers Are Appointed at 20 Major Companies
Twenty companies adjusted their operations to comply with Brazil's General Personal Data Protection Law (LGPD) following an enforcement action by the National Data Protection Authority (ANPD), which began in November of last year. The process was concluded...
Read moreDiscord Faces Lawsuit Over Negligence in Child Protection
New Jersey's Attorney General filed a lawsuit against messaging platform Discord, accusing the company of deceptive and irresponsible business practices that expose children to violent and sexual content, as well as online predators...
Read moreApple and Meta Fined by EU for DMA Violations
The European Commission announced unprecedented fines against tech giants Apple and Meta for non-compliance with the Digital Markets Act (DMA), legislation designed to curb anti-competitive practices in the EU's digital markets. Apple was penalized...
Read moreBrazil's Central Bank Defines Financial Assets Linkable to Dynamic Payment Slips to Boost Security
The Central Bank of Brazil (BCB) published Normative Instruction No. 611/2025, which establishes the types of financial assets that may be linked to dynamic collection payment slips — a payment modality created to modernize and enhance the security of transactions involving negotiable credits...
Read moreWindows NTLM Vulnerability Attacks Surge, Demanding Immediate Patching
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a medium-severity Windows vulnerability to its Known Exploited Vulnerabilities (KEV) catalog. The flaw, identified as CVE-2025-24054, allows attackers to steal NTLM hashes — a legacy Windows authentication method — through malicious files, enabling lateral movement attacks across networks...
Read moreChrome Abandons Tracking Restrictions and Keeps Third-Party Cookies Active
After six years of development, Google announced the suspension of its plans to eliminate third-party cookies from the Chrome browser, marking a significant retreat from the promises of the Privacy Sandbox project. The decision came under pressure from regulators and competitors in the digital advertising industry...
Read moreBanking Fraud: Court Finds LGPD Violation and Orders Compensation
The Rio de Janeiro Court of Justice ordered Banco do Brasil to reimburse funds and compensate a customer for moral damages after finding a banking security failure that enabled fraud and the misuse of personal data. The plaintiff was the victim of a scam after being contacted by phone, supposedly by a bank employee, and induced to carry out financial transactions...
Read moreBank Not Liable for Fake Payment Slip Scam Without Proof of Security Failure
The São Paulo Court of Justice upheld a ruling that denied a claim for material and moral damages by a consumer who fell victim to a so-called 'fake payment slip scam.' The plaintiff alleged that, while attempting to pay off a debt with a financial institution, he made a payment using a fraudulent slip provided by third parties, believing he was settling his account...
Read moreFraud Affected More Than Half of Brazilians in 2024
According to Serasa Experian's 2025 Identity and Fraud Report, 51% of Brazilians were victims of fraud in the past year, and 54.2% of those people suffered financial losses. Among the losses, nearly 20% lost between R$1,000 and R$5,000...
Read moreWhatsApp for Windows flaw allows malicious code execution
A vulnerability in WhatsApp for Windows, identified as CVE-2025-30401, can be exploited to execute malicious code through manipulated attachments if the user is tricked into opening them. The issue affects all versions of WhatsApp Desktop prior to 2.2450.6.
Read moreEmployee wins damages for unauthorized use of her image
The Regional Labor Court of the 5th Region awarded R$ 5,000 in moral damages to a former employee whose image was used without authorization by her employer on social media for commercial purposes. The company tried to justify the use through a generic clause in the employment contract, which the court deemed invalid.
Read moreSCR registration does not entitle consumers to moral damages
The Court of Justice of the State of Goiás (TJGO) upheld the ruling that dismissed a consumer's request to have his name removed from the Credit Information System (SCR) of the Central Bank of Brazil. The plaintiff alleged lack of prior notification, but the court found no wrongful act or moral damages.
Read moreUniversity ordered to pay damages for disclosing medical report without consent
The 4th Special Court Panel of the Court of Justice of Paraná found that Unioeste violated the LGPD by publicly publishing a medical report containing sensitive health information about a plaintiff on its website without consent. The university was ordered to pay R$ 10,000 in moral damages.
Read moreCompany held liable for improper handling of truck driver's personal data
The Court of Justice of Paraná ruled on a moral damages lawsuit filed by a truck driver against two companies. The court found that Guep Soluções was responsible for the improper collection and processing of the plaintiff's data, which led to discrimination and financial harm in his work. The company was ordered to pay R$ 15,000 in damages.
Read morePentest: What it is, what it's for, and why it's essential for your business security
Information security has never been more critical than today. Companies, governments, and individuals handle growing volumes of sensitive data that must be protected against cyberattacks. A single breach can cause financial losses and irreparable reputational damage. That's where Pentest — or penetration testing — comes in, with the goal of identifying and reporting vulnerabilities before criminals can exploit them.
Read moreAmazon sacrifices privacy to power the new Alexa+
Amazon announced a significant change to the privacy policy for Echo devices, set to take effect on March 28. The company will eliminate the option for local voice command processing, requiring all users to send their recordings to Amazon's cloud. The change is tied to the launch of Alexa+, an AI-powered upgrade to the virtual assistant.
Read moreBACEN extends deadline for registration of fraud data-sharing companies
The Central Bank of Brazil (BACEN) postponed the effective date of Normative Instruction No. 590, which establishes procedures for registering companies hired to share data on fraud indicators. The new effective date is March 3, 2025, with effects starting May 2, 2025.
Read moreOracle Cloud faces allegations of data breach affecting 6 million users
Oracle is facing serious allegations of a data breach on its Oracle Cloud federated SSO login servers, despite firmly denying the incident. According to BleepingComputer's investigation, multiple companies confirmed the authenticity of shared data samples provided by an alleged hacker.
Read moreConsumer must bear fraud losses, rules TJPR
The Court of Justice of Paraná (TJPR) overturned a first-instance ruling, clearing Mercado Pago of liability in a fraud case. The 6th Civil Chamber concluded that no service failure occurred on the company's part, reversing the initial judgment that had ordered Mercado Pago to compensate a consumer who was a victim of a scam.
Read more90% of AI Usage in Companies Is Invisible to Security Teams
LayerX's 2025 Enterprise Generative AI Security Report presents alarming data about the use of generative AI tools in corporate environments. The research, based on telemetry collected from LayerX Security's customer base, reveals that nearly 90% of AI application access is invisible to organizations.
Read moreItalian Ruling Reinforces the Importance of Corporate Email Management Policies
Contrary to what is commonly assumed, organizations have specific data protection obligations even after employment ends. Even if the company has legitimate interests in retaining such data (historical records of client and supplier contacts, preservation of evidence for potential future litigation, etc.), it must still respect the principles typical of data protection frameworks, ensuring employees' rights.
Read moreInstalling a Fraudulent App Blocks Compensation in Bank Fraud Case
A customer of Caixa Econômica Federal (CEF) had her claim for material and moral damages denied after falling victim to a banking scam. The decision was issued by the 9th Panel of the Federal Special Court of the 3rd Region, in São Paulo, which upheld the lower court ruling.
Read moreSecurity Breach Exposes Pix Users' Registration Data
The Central Bank of Brazil (BC) publicly announced a security incident involving personal data linked to Pix keys. The breach resulted from isolated failures in the systems of QI SCD S.A., the institution responsible for storing that information.
Read moreHospitality Under Fire: Fine for Excessive Data Collection via WhatsApp
A hospitality company in Spain was fined €1,200 for violating the data minimization principle of the European Union's General Data Protection Regulation (GDPR). The violation occurred when the company asked guests, including children, to send photos of their identity documents via WhatsApp.
Read moreCourt Convicts Boa Vista for Unauthorized Sale of Personal Data for Marketing
The São Paulo Court of Justice (TJSP) convicted Boa Vista Serviços S.A. for selling a consumer's personal data without proper consent, in violation of Brazil's General Data Protection Law (LGPD). The plaintiff alleged that the company sold information such as estimated income, address, and phone numbers without authorization, allowing third parties to access this data for marketing purposes rather than credit protection.
Read moreCourt Strikes Down Abusive Clause on Personal Data Sharing
The Minas Gerais Court of Justice overturned a ruling that had dismissed a consumer's lawsuit challenging contractual clauses against Banco Santander. The plaintiff contested the validity of a clause in a banking contract that allowed the sharing of her personal data without specific prominence and without offering the option to refuse.
Read moreBACEN Implements Pix Changes to Enhance Security
The Central Bank of Brazil published Resolution BCB No. 457, dated March 6, 2025, amending the regulations of the Pix payment arrangement, originally established by Resolution BCB No. 1, dated August 12, 2020. The changes aim to strengthen security mechanisms in the use of the system, with emphasis on stricter validations and adjustments to processes related to Pix keys.
Read moreLGPD: STJ Rules Insurer Liable for Data Security Breach
In a landmark ruling, the Superior Court of Justice (STJ) decided, in a special appeal, that insurers are objectively liable for leaks of their clients' sensitive data. The case involved Prudential do Brasil Seguros de Vida S.A., which was ordered to pay moral damages after failing to protect an insured's personal and sensitive information.
Read moreCourt Clears Bank of Liability in Boleto Fraud Scheme, Blames Consumer
The 2nd Civil Special Court of São José dos Pinhais overturned a lower court ruling and cleared Banco Votorantim S.A. of liability for a boleto fraud suffered by a customer. The court found that the consumer failed to take minimum due diligence measures when paying a fraudulent boleto generated by scammers, and that there was no service failure on the bank's part.
Read moreNo posts found.